IDG 

•  net 


INFO  SECURITY  STANDARDS 
Why  they  need  to  grow  up 

PAGE  32 


MERGERS  WITH  A  CLUE 
Baking  security  issues 
into  the  M&A  process 

PAGE  38 


REPORT  CARD 
How  federal  agencies 
stack  up  against  the 
private  sector  (hint:  needs 
improvement) 

PAGE  44 


THE  RESOURCE  FOR  SECURITY 


CSO  UNDERCOVER 
My  outsourcing 
nightmare 

PAGE  58 


mm 


Checkpoint. 

We  secure  the  networks 
of  the  Fortune  500. 


As  the  world  leader  in  Internet  security,  Check  Point’s™ 
integrated  security  solutions  Connect,  Protect,  Manage 
and  Accelerate  the  network  security  of  more  than  100 
million  users  worldwide. 


CONNECT.  Leading  global  companies  rely  on  Check  Point  VPN  solutions  to 
connect  employees  and  offices  everywhere.  Regardless  of  where  business 
happens  — even  in  the  most  remote  locations  — people  and  companies  are 
securely  connected  to  their  critical  information. 


PROTECT.  Check  Point’s  fail-safe  firewall  infrastructure  provides  the  highest 
level  of  security  for  every  network  from  the  edge  to  the  core.  Our  authentication, 
access  control,  and  content  security  features  have  become  the  trusted  global 
industry  standard. 


MANAGE.  Check  Point’s  revolutionary  Security  Management  Architecture 
(SMART™)  lets  you  instantly  deploy  and  distribute  security  policies  regardless  of 
user  location.  All  aspects  of  network  security  can  be  defined  and  managed  from 
a  single  console  dramatically  reducing  your  total  cost  of  ownership. 


ACCELERATE.  Check  Point’s  VPN  and  firewall  solutions  deliver  wire-speed 
performance  up  to  three  times  faster  than  other  network  solutions.  Now  you  can 
maintain  absolute  network  security  without  sacrificing  the  performance  of 
business-critical  applications  or  bogging  down  your  network. 

Check  Point 


Find  out  the  latest  in  Internet  security  by  downloading 
our  white  paper  “Building  Secure  Wireless  LANs”  at 
www.checkpoint.com/wireless/cso  or  call  (866)  488-6686. 


We  Secure  the  Internet. 


©2002  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


B  WIT 

i  1  i 

IS 

i  il 

p 

!E 

I! 

Protection  in  every  location. 
Managed  and  integrated 
from  one  location. 


Introducing  the  Symantec ™  Security  Management  System. 

For  the  first  time,  security  data  from  multiple  locations, 
multiple  tiers  —  even  multiple  brands  of  information 
security  products  —  can  be  managed  with  a  single  system, 
at  a  single  console.  Which  means  that  enterprise-wide 
policy  compliance  is  finally  a  real  possibility.  It  also  means 
that  because  you've  simplified  your  environment,  you  can 
reduce  your  operating  costs.  And,  most  importantly,  you 
can  now  be  more  responsive  to  new  and  emerging  threats, 
eliminating  them  before  they  do  damage.  It’s  part  of  a 
revolution  in  information  security,  a  revolution  that  offers 
better  protection,  efficient  management  and  ensured  business 
continuity  for  your  entire  enterprise.  For  our  latest  White 
Paper,  “Managing  Security  Incidents  in  the  Enterprise visit 
http://ses.symantec.com/USA659A8VE  or  call  800-/45-6054. 


Symantec, 


Symantec  Security  Management  Console  Symantec. 

4/>eH"  ’^tt*  ,  *  ‘  y  T"  ^fSSiliill  1 1 


26  COVER  STORY 
Avoiding  the  Road  to  Perdition 

SECURITY  ABROAD  Foreign  travel  and  expatriate  post¬ 
ings  can  sometimes  turn  ugly.  CSOs,  sworn  to  keep 
employees  out  of  harm’s  way  when  they’re  on  the  road, 
are  using  travel  risk  services  to  offer  an  extra  margin  of 
safety.  By  Daintry  Duffy 

32  Guiding  Lite 

STANDARDS  Information  security  “standards”  are 
quite  a  bit  less  than  that— and  that  needs  to  change. 

By  Sarah  D.  Scalet 

38  Mix  Masters 

MERGERS  &  ACQUISITIONS  Get  involved  early— and 
often— in  your  company’s  M&A  strategy.  If  you  leave 
security  planning  until  the  end,  you  may  not  have 
enough  dollars  in  your  budget  to  get  you  where  you 
need  to  go.  By  Simone  Kaplan 

44  “F”  Is  for  Feds 

FEDERAL  AGENCIES  Beleaguered  public  sector  CSOs  are 
grappling  with  tight  budgets  and  red  tape  for  what 
seems  to  be  a  no-win  battle  to  secure  their  information 
systems.  How  do  the  government’s  security  efforts 
stack  up  against  the  private  sector’s?  By  Jennifer  Jones 


22  Law  and  Order  in  a 
Networked  World 

SECURITY  COUNSEL  Jeffrey  Bedser,  COO  of  infosec 
threat-management  company  ICG,  answers  readers’ 
cybersecurity  questions. 

24  Merger  Mambo 

FLASHPOINT  Mergers  can  make  a  mess  of  security. 
Here  are  some  suggestions  for  guiding  your  organiza¬ 
tion  through  the  confusion.  By  David  H.  Holtzman 

58  Why  Outsourcing  Won’t  Work 

CSO  UNDERCOVER  The  number  crunchers  don’t  see 
security  management  the  same  way  that  CSOs  do. 
That’s  why  they’re  willing  to  turn  it  over  to  strangers. 

DEPARTMENTS 

13  Briefing 

Itsy-bitsy  cameras;  Good  security  comes  to  those  who 
pay;  I  smell  a  rat;  Cold,  hard  drive  facts. 

20  Wonk 

A  Homeland  Who’s  Who:  The  Department  of 
Homeland  Security  is  staffing  up.  Here’s  a  look  at  the 
talent  pool.  By  Julie  Hanson 

51  Machine  Shop 

Computer  forensic  tools  now  make  it  possible  to  more 
easily  search  for— and  find— evidence  on  hard  drives. 
By  Simson  L.  Garftnkel 
TOOLBOX:  New  video  products 

64  Debriefing 

POP  QUIZ:  Patents 


Cover  photo  by 
Jeff  Seiortino 
and  Getty  Images 


N  EVERY  ISSUE  6  CSOonline.com  8  Letter  from  the  Editor  10  Advisers  62  Index 


arch 


2 


Lynn  Mattice,  director  of 


corporate  security  for  Boston 
Scientific’s  global  operations, 


says  attention  to  security 
details  before  a  merger  takes 
place  might  actually  help 
reduce  the  overall  costs. 


4  www.csoonline.com  March  2003 


010101 0001 011110101011101101 001010001 1 1 0 


Provisioning  giving  you  a  headache ? 


With  CONTROL-SA,  provisioning  is  no  longer  a  daunting  task.  It’s  secure,  cost-effective,  and 
provides  you  with  complete  control  over  your  IT  infrastructure  and  business  resources. 

Serving  as  the  foundation  for  secure  identity  management,  CONTROL-SA  enables  your 
organization  to  meet  today’s  business  challenges  and  benefit  from  a  rapid  return  on  investment. 
Administration  is  streamlined.  Access  is  granted  and  revoked  in  minutes  -  not  days.  Passwords 
and  user  IDs  are  managed  effectively.  And  your  organization  is  one  step  closer  to  full 
compliance  with  privacy  regulations. 

CONTROL-SA,  the  pioneering  provisioning  solution  with  the  most  customers  and  one  of 
the  longest  deployment  histories,  now  provides  enhanced  Identity  Management  capabilities: 

•  Easy  administration  via  a  Web-based  Security  Console 

•  Fast  deployment  and  rapid  ROI  using  the  XpressAgent  methodology 

•  Open  architecture  facilitating  integration  with  current  IT  implementations 

•  Unmatched  scalability  to  serve  large  global  enterprises 

•  Enhanced  connectivity  to  LDAP- enabled  applications  via  LDAP  interface 

For  more  information,  call  800-865-4262  or  visit  www.btnc.com/security/provisioning 

BMC  Software,  the  BMC  Software  logos  and  all  other  BMC  Software  product  or  service  names  are  registered  trademarks  or  trademarks  of  BMC  Software,  Inc. 

All  other  trademarks  or  registered  trademarks  belong  to  their  respective  companies.  ©2003  BMC  Software,  Inc.  All  rights  reserved. 


RELIEVE  THE 
PROVISIONING  PAINS 
WITH  CONTROL-SA® 


' !  bmc 


e.com 


ings  in  our  EVENT  CALENDAR.  Need 
advice?  Ask  our  CAREER  ADVISER.  Want 
to  know  who  is  where?  Read  MOVERS  & 
SHAKERS,  www.csoonline.com/career 

Only  Online 

Check  out  the  fresh  content  on  CSOonline 
every  weekday.  Here’s  what  you’ll  find: 

MONDAY 

TALK  BACK  What’s  the  right  thing  to  do 
when  you  discover  software  flaws?  Visit 
each  week  to  share  your  opinion  on  this 
and  other  controversial  security  topics. 

www.csoonline.com/talkback 


Security 

Counsel 


This  month,  Daniel 
Geer,  CTO  of 
@  Stake,  is  available 
online  to  answer 
your  questions 
about  malpractice 
insurance  for  information  security.  Should 
CSOs  receive  insurance  coverage  similar  to 
doctors?  Certainly  the  CSO  job  is  inher¬ 
ently  risky.  What  do  you  think?  Visit 
SECURITY  COUNSEL  to  post  a  question  or 
to  read  past  expert  advice  columns. 
www.csoonline.com/counsel 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors  Scott  Berinato,  Daintry  Duffy 
Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writer  Sarah  D.  Scalet 
Staff  Writer  Simone  Kaplan 
Copy  Chief  Tom  Waiigum 
Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  A,  Gauthier  (Assoc,), 

Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 

Contributors  Jeffrey  Bedser,  Simson  L,  Garfinkel, 
David  H.  Holtzman,  Jennifer  Jones,  Paul  Roberts 

Editorial  Operations  Specialist  Julie  Hanson 


DESIGN 


Get  Alarmed 

Read  informed  opinions  on  security  and 
privacy  topics  from  CSO’ s  outspoken 
experts,  Senior  Editor  Scott  Berinato  and 
Senior  Writer  Sarah  D.  Scalet. 

www.csoonline.com/alarmed 


TUESDAY 

SECURITY  CHECK  Vote  in  our  weekly 
poll.  You  may  also  check  the  results  of  pre¬ 
vious  polls  such  as  “Is  your  company’s 
acceptable-use  policy  published  anywhere 
besides  the  company  handbook?” 
www.csoonline.com/poll 


Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

WEBSITE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Web  Editorial  Director  Art  Jahnke 


Free  Newsletters 

CSO  newsletters  delivered  right  to  your 
inbox  every  month— for  free.  CSO  UPDATE 
highlights  the  most  recent  content  posted 
on  CSOonline.  CSO  WANTED  UPDATE 
alerts  you  to  the  latest  security-related  job 
openings  in  our  database.  It  takes  only  a 
few  seconds  to  subscribe. 
www.csoonline.com/newsletters 

CSO  Research  Centers 

Visit  CSOonline’s  RESEARCH  CENTERS  for 
archived  articles  from  CSO  and  its  sister 
publications,  webcasts,  interviews  and 
links  to  relevant  sources. 

www.csooniine.com/research 


WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  in  one  convenient  pack¬ 
age.  In  a  recent  report,  Giga  Information 
Group  suggests  that  CSOs  use  the  Balanced 
Scorecard  to  align  business  and  security 
projects,  www.csoonline.com/analyst 

THURSDAY 

METRICS  According  to  a  recent  survey  of 
470  network  managers,  new  viruses  and 
blended  threats  rank  as  the  number-one 
security/business  challenge  of  2003.  Visit 
each  week  for  more. 
www.csoonline.com/metrics 

FRIDAY 

POLITICS  &  POLICY  Read  the  lull  text  of 


Executive  Web  Editor  Martha  Heller 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 


Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 


Career  Resources 

Jump-start  or  advance  your  career  with 
postings  in  our  JOB  CENTER  and  the  list- 


bills  before  the  House  and  Senate,  and 
blurbs  about  other  legislative  and  political 
activity— inside  the  Beltway  and  out. 

www.csoonline.com/politics 


CEO  Pat  Keneaiy 

BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  August  2002 
©  CXO  Media  Inc. 


6  www.csoonline.com  March  2003 


YOUR  VPN  ACCESS. 

YOUR  NETWORK  ACCESS. 

YOUR  WEB  ACCESS. 

YOUR  EMAIL  ACCESS  &  CONFIDENTIALITY. 

YOUR  COMPUTER  BOOT  &  FILES  PROTECTION. 


■j(  42EED?  p 
1-..PHILOS  ( 
Fi?  FIR|?COp 
W5p^?,.cT 
"""S,X 
HOtt'Gp 
MADCO'vf 
Je?TlSHINj 
iUN?  CYBEl 


VN?  88627! 
MAYNARD 
[2545MHY 
SPANK?  E 
1 877-852 
.QtJESTft 
kzA’i.32-1-7 

£ . 

5?  65CC55 
NTH  ILL?  P 


YOUR  SECURE  KEY  STORAGE. 

YOUR  SECURE  CERTIFICATE  STORAGE. 

YOUR  SECURE  PASSWORD  STORAGE. 

YOUR  SECURE  KEY  GENERATOR. 


It's  your  digital  identity  organizer. 

Just  one  secure  device  for  all  your  passwords,  keys,  and  certificates. 


Aladdin's  eToken  is  strong,  reliable  2-factor  authentication  that  simplifies  your  life  while  securing  your  world. 

. 

Stop  the  memorization  of  awkward  passwords.  Vastly  improve  your  organization's  security.  Your  users  only 

■ 

need  to  remember  one  eToken  password  and  have  their  eToken  for  secure  access.  eToken  is  the  smart  card  a  ^  11. 

that  doesn't  need  a  reader  or  a  server.  It  simply  plugs  into  a  USB  port — that  makes  eToken  easy  to  deploy  and  really  y  (18.(1(1111. 
affordable.  Call  1-800-562-2543  or  go  to  eAladdin.com/eToken  to  request  a  free  corporate  information  kit  :$E  CUR/NC  THE  GLOBAL  VILLAGE  .  ■ 

on  how  eToken  can  secure  your  network  and  simplify  your  life.  eAiaddin.com 

7Y:|fK  ’ 

;  . 

•  ■ 


Body  Slam 


You  could  tell  that  the  SQL  Slammer  infestation  was  a 
biggie  just  by  the  volume  of  self-congratulatory  e-mail 
from  vendors  claiming  to  have  the  problem  licked.  When 


people  start  yelling  that  everything  is  under  control,  that’s  when  you  start  to 
worry.  Informal  polling  around  our  offices  reveals  a  volume  of  Slammer-related 
messages  vastly  higher  than  that  which  followed  earlier  viral  or  vermicular 
outbreaks.  Must  have  been  a  lot  of  folks  caught  unprepared  for  this  one. 

In  downtown  Boston  there’s  an  apartment  complex  with  a  famous  sign 
outside,  facing  one  of  Beantown’s  many  traffic  bottlenecks.  The  sign  reads,  “If 
you  lived  here,  you’d  be  home  now.”  Much  of  the  e-mail  regarding  the  SQL 
Slammer  worm  was  roughly  in  that  vein:  “If  you  had  used  MonkeyMax  DMZ, 
you  wouldn’t  have  had  any  Slammer  issues!”  But  the  truth  is  a  little  weirder 
than  the  lack  of  MonkeyMax  DMZ  (for  those  eager  to  get  some,  I  made  it  up). 
The  vulnerability  was  well-known,  and  the  patch  to  fix  it  has  been  widely  avail¬ 
able  since  last  summer,  when  Microsoft  released  it  along  with  a  critical  security 
bulletin.  The  half  million  or  so  vulnerable  servers  were  found  in  enterprises 
where  somebody  hadn’t  gotten  around  to  applying  the  patch.  What  could 
explain  this? 

At  first  blush,  one  might  conclude  that  the  sign  should  instead  read:  “If  you 
weren’t  such  a  worthless  dope,  you  wouldn’t  have  had  any  Slammer  issues!” 

Much  of  the  semiflaming  Slammer  debate,  as  seen  in  postings  on  various 
websites,  pitted  people  who  reject  Microsoft  and  all  its  allegedly  invidious 
works  against  those  who  think  network  admins  (or  anyone  else  who’s  handy 
to  be  blamed)  are  lazy  dogs  who  ought  to  show  a  lot  more  attention  to  detail. 
Amid  the  charges  and  countercharges  are  some  undeniable  gray-scale  realities. 
The  patch,  it  turns  out,  is  somewhat  harder  and  less  convenient  to  install  than 
its  Band-Aidy  name  would  imply.  It  can  require  taking  a  (sometimes  mission- 


critical)  system  offline  for  hours  and  can  interact  badly 
with  applications  that  haven’t  been  updated  to  accom¬ 
modate  it.  So  laziness  is  not  quite  the  right  characteri¬ 
zation  of  those  responsible  for  the  afflicted  servers.  For 
those  facing  the  need  to  prioritize  investments  of  time 
and  effort  (some  leading  to  considerable  inconvenience 
for  users  and  businesses),  gambling  becomes  one  of  the 
tools  of  the  trade.  Naturally,  snake  eyes  can  sometimes 
be  the  result. 

In  the  Shoemaker’s  Barefoot  Children  Dept.,  even 
Microsoft’s  own  internal  network  had  servers  getting 
whacked  by  the  worm.  The  irony  of  this  must  be  deli¬ 
cious  for  combatants  on  both  sides  of  the  issue.  But  if 
Microsoft  can’t  get  its  own  act  together  with  respect  to 
the  patch  application,  how  can  the  company  credibly 
level  its  finger  at  the  legions  of  similarly  ill-prepared 
customers? 

In  a  world  in  which  nearly  every  single  piece  of  tech¬ 
nology  is  complicated,  most  networked  environments— 
consisting  of  many  thousands  of  single  pieces,  often 
oddly  matched  and  haphazardly  assembled— are  so 
byzantine  as  to  defy  all  reasonable  efforts  to  keep  up 
with  maintenance  and  repair.  SQL  Slammer  is  a  fresh 
reminder  that  to  gamble  on  risk  is  to  flirt  with  disaster. 
CSOs  who  are  not  now  entirely  comfortable  with  the 
policies  and  procedures  their  enterprises  follow  in 
applying  and  testing  the  patch  should  quickly  remedi¬ 
ate  this  area  of  risk. 

-Lew  McCreary 
mccreary@cxo.com 


8  www.csoonline.com  March  2003 


PHOTO  BY  WEBB  CHAPPELL 


CCTP  would  have  made  his  life  much 

Introducing 

OCCTP" 

video  surveillance  for  the  digital  age 

Want  to  know  more? 
simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


easier  CCTP,  engineered  by  Anixter,  is: 

•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 

»CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


CSO  wishes  to  thank  the  following  individuals  for  serving  as 
our  editorial  Board  of  Advisers,  supplying  their  expertise  and 
guidance  to  CSO’ s  editors  * 

CHRIS  CHRISTIANSEN 

Program  Vice  President,  eBusiness 
Infrastructure  and  Security  Software,  IDC 


JOHN  HARTMANN 

Vice  President  of  Security  and 
Corporate  Services,  Cardinal  Health 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 


STEPHEN  E.  CROSS 

Director  and  CEO 
Software  Engineering  Institute  and 
CERT  Coordination  Center 
Carnegie  Mellon  University 

DAVID  CULLINANE 

CISO,  Washington  Mutual 
President,  Information  Systems 
Security  Association 

DOROTHY  DENNING 

Professor 

Department  of  Defense  Analysis 
Naval  Postgraduate  School 


STEVE  KATZ 

President,  Security  Risk  Solutions 

MICKI  KRAUSE 

CISO,  Pacific  Life  Insurance 

BRUCE  SCHNEIER 

CTO,  Counterpane  Internet  Security 

JOHN  TRITAK 

Former  Director 

Critical  Infrastructure  Assurance  Office 

KRIZI  TRIVISANI 

Information  Security  Officer 
The  George  Washington  University 


CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

Phone:  866  354-1125 
Fax:  847  564-9002 
E-mail:  cso@omeda.com 

REPRINTS 

Reprints  are  available  by  calling  Reprint  Services 
at  651  582-3834,  or  via  e-mail  at 
csoreprints@reprintservices.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research, 
conferences  and  events,  informs  more  people 
about  technology  than  any  other  company  in  the 
world.  Offering  the  widest  range  of  media  options, 
IDG  reaches  more  than  120  million  technology 
buyers  in  85  countries  representing  95  percent  of 


DANIEL  E.  GEER  JR. 

CTO,  @Stake 

DAVID  M.  HAGER 

Vice  President,  Network  Security 
and  Disaster  Recovery 
OppenheimerF unds 


JAMES  WADE 

CISO,  KeyCorp 
President,  ISC2 

ROBERT  WEAVER 

Assistant  Special  Agent  in  Charge 
Secret  Service  Electronic  Crimes  Task  Force 
New  York  City 


*Their  participation  does  not  imply  an  endorsement  of  the  magazine’s  contents  or  opinions. 


worldwide  IT  spending.  IDG  publishes  more  than 
300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworld,  Infoworld,  Macworld, 
Network  World,  PC  World  and  CIO  global  prod¬ 
uct  lines.  IDG  offers  online  users  the  largest  net¬ 
work  of  technology-specific  sites  around  the 
world  through  IDG.net  ( www.idg.net ),  a  gateway 
to  IDG's  330  websites  powered  by  more  than 
2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research 
company  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


“There  are  only  three  things  you  can 
do  to  risk:  You  can  correct  it,  you  can 
accept  it,  or  you  can  accept  some 
portion  of  it  and  transfer  the  rest.” 

-STEVE  KATZ,  FOUNDER  AND  PRESIDENT  OF  CONSULTANCY  SECURITY 
RISK  SOLUTIONS  (SEE  “YOU  CAN  BANK  ON  IT,”  PAGE  16) 


10  www.csoonline.com  March  2003 


PHOTO  BY  STEVEN  VOTE 


Can  your  network  pass  the 
SANS/FBI  security  test? 


The  Federal  Bureau  of  Investigation  and  the  SANS 
Institute,  an  independent  association  of  more  than 
156,000  information  security  professionals  in 
October  2002  published  a  roster  of  the  Top  20 
Internet  security  vulnerabilities.  Successful  intrusions 
of  Internet  connected  systems  usually  exploit  one  or 
more  of  these  flaws.  You  need  to  know  which  ones 
you’ve  got  to  ensure  your  network  is  secure. 


Qualys  makes  that  easy  -  and  free. 

Find  out  now  at  http://sans20.qualys.com 


Qualys  provides  a  comprehensive,  ON-DEMAND 
security  audit  service  for  the  enterprise.  With  Qualys, 
organizations  can  effectively  manage  their  vulnerabilities 
and  have  control  over  their  network  security  with 
centralized  reports  and  one-click  links  to  verified 
remedies.  And  because  the  service  is  delivered  over  the 
web,  enterprises  can  run  network  security  audits 
anytime,  and  get  the  results  delivered  in  minutes 
without  the  extra  cost  of  deployment  and  maintenance. 


Find  out  in  minutes  at 
http://sans20.qualys.com 


For  product  information,  call  toll-free  1-800-745-4355  or  visit  www.qualys.com. 

©  2003  Qualys  Corporation,  all  rights  reserved. 


Find  confidence  in  the  midst  of  chaos. 


Focus  on  the  best  in  network  security,  every  step  of  the  way. 


Start  with  a  secure  foundation. 

Our  operating  system,  IPSO,  is  built  from  the  ground  up  for  security. 
It  eliminates  many  vulnerabilities  common  to  general-purpose 
servers,  and  also  incorporates  our  patented  IP  Clustering  technology. 
Multiple  Nokia  security  appliances  can  be  linked  as  one,  on  the  fly, 
for  new  levels  of  performance,  reliability  and  scalability. 


Integrate  the  best  in  network  security  expertise. 

Partners  like  Check  Point  Software  Technologies,  Internet  Security 
Systems  and  F5  help  us  deliver  the  full  capabilities  of  their  VPN, 
firewall,  intrusion  protection,  and  Internet  traffic  management 
applications.  To  learn  about  the  other  ways  we  give  our  customers 
greater  peace  of  mind,  just  visit  www.nokia.com/ipsecurity/na. 


NOKIA 

Connecting  People 


©  Nokia  Inc.  2002.  All  rights  reserved.  Nokia  and  Nokia  Connecting  People  are 
registered  trademarks  of  the  Nokia  Corporation.  Other  product  and  company  names 
mentioned  herein  may  be  trademarks  or  trade  names  of  their  respective  owners. 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


Itsy-Bitsy  Cameras 

SURVEILLANCE  If  you’ve  flown  out  of  LAX  recently,  you  might 
have  seen  one  of  the  1,200  new  surveillance  cameras— or  perhaps  you 
didn’t  see  anything  at  all.  The  new  digital  cameras  are  a  lot  smarter  than 
the  analog  devices  currently  in  place  at  other  airports,  and  they’re  also 
a  lot  smaller— so  small,  in  fact,  that  the  public  just  might  not  notice 
them.  “The  newer  equipment  requires  less  space,  it’s  more  concealed, 
and  it  can  hold  quite  a  bit  of  memory  and  electronics,”  spokeswoman 
Nancy  Castles  says.  “If  you  know  what  to  look  for,  you  can  see  it.” 

And  if  you  don’t,  well,  you  won’t. 

Right  now,  walk  into  any  branch  bank,  and  you’ll  probably  see 
those  familiar  half  domes  on  the  ceiling.  But  a  growing  number  of 
surveillance  cameras,  even  if  they’re  not  deliberately  hidden,  are  so 
small  it  takes  a  skilled  eye  to  scout  them  out.  The  NYC  Surveillance 
Camera  Project  has  posted  the  location  of  public  cameras  in  New 
York  City  to  raise  awareness  about  surveillance.  The  group’s  website 
(■ www.mediaeater.com/cameras )  has  pictures,  complete  with  red 
circles  and  arrows. 

All  of  which  leaves  security  chiefs  with  a  whole  new  decision  to 
ponder:  to  tell  or  not  to  tell.  In  England,  it  seems,  the  question  has 


been  answered.  Whether  citizens  are  on  the  subway  or  walking 
down  the  street,  they  encounter  signs  warning  them  that  they’re  on 
camera.  But  such  warnings  are  still  relatively  uncommon  in  the 
United  States. 

“Some  kind  of  sign  that  they’re  there  not  only  warns  people,  it 
acts  as  a  deterrent,”  says  William  G.  Staples,  a  sociology  professor 
at  the  University  of  Kansas.  -Sarah  D.  Scalet 


CSO  SECURITY  CHECK 


Good  Security  Comes  to  Those  Who  Pay 


INFRASTRUCTURE  PROTECTION  Security.  It’s  even  in  the  water.  Recently,  the 
Pennsylvania-American  Water  Co.  informed  600,000  customers  that  it  was  seeking  permis¬ 
sion  from  regulators  to  charge  an  extra  4  cents  per  day  to  cover  its  antiterrorism  protection 
measures.  Utility  companies  across  the  nation  are  starting  to  increase  their  rates  to  cover  the 
cost  of  protecting  themselves  from  terrorist  attacks.  According  to  a  2002  survey  by  the 
National  Regulatory  Research  Institute,  more  than  13  states  have  been  approached  by  utili¬ 
ties  in  the  past  year  seeking  permission  to  bump  up  their  rates  to  pay  for  security  costs. 

Considering  the  focus  on  critical  infrastructure  protection  since  Sept.  11,  the  utilities’  move 
should  be  no  surprise  to  states  or  consumers,  says  Paula  Scalingi,  founder  and  former  director 
of  the  Department  of  Energy’s  Office  of  Critical  Infrastructure  Protection  and 
president  of  the  Scalingi  Group,  an  infrastructure  security  consultancy. 

"Utilities  are  like  any  other  business— they  have  to  watch  their  bottom  line, 
and  they  are  faced  with  a  security  burden  that  wasn't  there  prior  to  9/11," 

Scalingi  explains. 

“Every  piece  of  the  country's  infrastructure  is  connected  and 
dependent  upon  each  other,”  she  says.  "Services  such  as  utilities  have 
to  be  prepared  to  reconstitute  themselves  quickly  if  an  attack  takes 
place,  even  if  they’re  not  the  target.  And  that  preparation  may  be  on  the 
costly  side."  -Simone  Kaplan 


Do  you  provide  additional 
security  training  to  employees 
before  they  travel  to  potentially 
dangerous  regions? 


Most  CSOs  do  not  adequately  ensure  the  safety 
of  employees  traveling  in  harm’s  way.  Don’t  be 
one  of  them.  To  learn  how  to  keep  your 
employees  safe,  read  Senior  Editor  Daintry 
Duffy’s  story,  “Avoiding  the  Road  to  Perdition,” 
on  Page  26. 


To  participate  in  CSO  Security  Check  polls, 
visit  www.csoonline.com. 


ILLUSTRATIONS  BY  CALEF  BROWN;  PHOTO  BY  ALBERTO  CAPOLINO 


March  2003  www.csoonline.com  13 


I  Smell  a  Rat 

BIOMETRICS  Decades  of  research 
have  shown  that  mice  release  a  unique 
urinary  odor.  Further  research  suggests 
that  a  similar  link  may  exist  between  the 
genes  that  control  a  human's  immune 
system  and  his  body  odor.  Who  knew 
that  a  long-regarded  nuisance  could 
present  opportunities  for  the  security 
industry? 

The  Pentagon's  Defense  Advanced 
Research  Projects  Agency  (DARPA)  is 
calling  for  $3.2  million  in  research  fund¬ 
ing  to  find  out  just  how  distinct  those 


human  odors  are.  The  initial  discovery 
phase  of  research  is  expected  to  last  two 
and  a  half  years,  and  it  will  determine 
whether  “robust”  fragrance  signatures 
exist.  It  will  also  look  at  how  they  vary 
between  individuals  and  are  affected  by 
stress,  diet,  health  and  age.  If  research 
supports  the  feasibility  of  odor  detection, 
then  DARPA  will  consider  developing  a 
sensor. 

The  upside  is  that  biometric  identi¬ 
fication  technology  based  on  odor 
could  be  much  harder  to  trick  than  other 
biometrics  because  it  would  be  based 
on  people’s  genetic  makeup  as  opposed 
to  their  fingerprints  or  retinal  scans. 

The  downside  is  that  if  biometric  odor 
detectors  ever  make  it  to  the  market,  the 
security  checkpoints  at  airports  could 
get  a  whole  lot  more  embarrassing. 

-Daintry  Duffy 


Filtering  the  Garden 
of  Good  and  Evil 


SPAM  Dandelions  might  look  pretty,  but  they  can  kill  an  otherwise  healthy  lawn. 
The  same  is  true  of  the  spam  that  plants  itself  in  your  inbox.  But  heuristic  analysis, 
an  e-mail  scanning  technique  that  sifts  through  e-mail  messages  for  the  characteris¬ 
tics  and  behaviors  that  are  unique  to  spam  messages,  may  help. 

Doug  McLean,  vice  president  of  marketing  at  Postini,  a  spam  filtering  service, 
describes  the  spam  characteristics  as  the  “fingerprints”  of  spammers.  They  include 
information  buried  in  the  e-mail  message  header  that  is  invisible  to  most  e-mail 
recipients— information  such  as  the  path  the  e-mail  took  to  reach  its  destination  and 
the  content  of  the  message.  Picking  out  spamlike  qualities  in  e-mail  messages  is  not 
hard  to  do,  according  to  Dave  Strickler,  CEO  of  antispam  service  provider  MailWise. 
“The  biggest  thing  that  people  don’t  realize  is  the  amount  of  mistakes  spammers  make 
in  the  header  of  an  e-mail  message,”  he  says.  Multiple  sender  addresses,  grossly  inac¬ 
curate  time  stamps  and  nonexistent  time  zone  settings  are  just  a  few  of  the  aberrations 
that  are  common  in  spam  messages,  Strickler  says. 

Spam  signatures  work  the  same  way  virus  signatures  do,  according  to  McLean. 
Researchers  look  at  individual  e-mail  messages  and  determine  whether  they  are  spam. 
Once  a  legitimate  spam  message  is  identified,  the  antispam  vendor  uses  an  algorithm 
to  calculate  a  unique  string  of  bits,  or  “signature,”  for  the  spam  message.  The  antispam 
software  uses  that  signature  to  scan  incoming  messages  and  identify  spam. 

Blacklists  and  keywords,  the  other  common  methods  of  screening  e-mail  for 
spam,  only  give  administrators  the  ability  to  block  messages  coming  from  specific 
addresses  or  domains,  or  containing  certain  words.  As  a  result,  they  are  less  deft  at 
picking  out  spam  messages  from  legitimate  e-mail  traffic. 

So,  how  can  a  CSO  know  which  product  and  approach  is  best?  CSOs  who  are 
looking  into  antispam  products  and  services  would  be  well  served  by  conferring  with 
companies  that  are  already  using  the  technology.  For  managed  service  providers, 
McLean  says,  the  account  renewal  rate  will  tell  CSOs  a  lot  about  how  happy  the 
company’s  current  customers  are.  -Paul  Roberts 

DEPARTMENT  OF  BIO  SCARY  NUMBERS 


of  IT  organizations  surveyed  say  they 
have  no  way  of  knowing  if  their  information 
security  has  been  breached. 


SOURCE:  META  GROUP  2003  POLL 


14  www.csoonline.com  March  2003 


PHOTO  BY  ALAN  PAPPE/GETTY  ONE 


;  ikm? 

:;'v. 


.  ?  ?  »>• 
m 

"■"■■'  ■■  ■:■  I  .: 


Y«pt 


CISM  (Certified  Information  Security  Manager™)  is  a  groundbreaking  credential  specifically 
designed  for  information  security  managers.  It  is  intended  for  those  who  must  maintain  a  big-picture 
outlook  by  directing,  crafting  and  overseeing  an  organization’s  information  security.  This  new  cre¬ 
dential  is  brought  to  you  by  Information  Systems  Audit  and  Control  Association®,  the  organization 
that  has  administered  the  world’s  most  prestigious  IS  audit  credential  for  25  years. 


A  “grandfathering”  process  is  open  to  qualified  individuals  for  a  limited  time. 


CERTIFIED  INFORMATION 
SECURITY  MANAGER™  . 


If  you  are  interested  in  CISM,  visit  the  ISACA  web  site  at  www.isaca.org/cismcso, 


and  find  out  how  to  be  a  part  of  a  winning  combination. 


Some  combinations  are  just  natural  winners.  Like  the  combination  of  your  security 
management  experience  and  ISACA®’s  new  information  security  certification,  CISM™. 


3-  ■  ■ 


■••/  Vs,  ..  . 

ffPcSj  ■■•■■y  !. 


I 


1L 

1 


. 


YOU  and  CISM 


a  WINNING  COMBINATION 


CHRIS  ROTJLAND,  DIRECTOR  OF  INTERNET  SECURITY  SYSTEMS  XFORCE,  IN  REGARD  TO  MOST  CORPORATIONS’  WORM  AND  VIRUS  VULNERABILITIES 


You  Can 
Bank  on  It 


RISK  MANAGEMENT  To  loan  or 
not  to  loan.  Evaluating  risk  is  a  natural  pre¬ 
occupation  with  the  banking  industry,  so  it’s  not 
surprising  that  it  is  working  on  risk  measure¬ 
ments  that  will  have  effects  beyond  the  financial 
services  industry.  In  January  2001,  the  Basel 
Committee  on  Banking  Supervision  issued  a 
proposal  for  a  New  Basel  Capital  Accord  that, 
once  finalized,  will  give  banks  a  methodology 
to  evaluate  risk.  The  New  Basel  Capital  Accord 
(also  referred  to  as  Basel  II)  sets  minimum 
capital  requirements,  refines  an  institution’s 
internal  assessment  process  and  will  mandate 
disclosure  processes  to  encourage  safe  banking 
practices.  We  spoke  with  Steve  Katz,  the  former 
chief  information  security  and  privacy  officer 
for  Merrill  Lynch  and  founder  and  president  of 
consultancy  Security  Risk  Solutions,  for  some 
insight  on  how  the  accord  will  affect  corporate 
security  organizations. 

CSO:  What  is  Basel  II,  and  whom  will  it  affect? 

Steve  Katz:  The  New  Basel  Accord  will 
apply  directly  to  U.S.  regulated  banks.  It  will 
require  banks  to  set  aside  capital  reserves 
to  offset  operational  risks,  which  include 
information  and  physical  security,  HR  security 
and  business  continuity  planning.  Banks  will 
need  a  set  of  metrics  to  look  at  the  components 
of  their  operation  and  the  risks  they  have  to 
manage.  Some  portion  of  that  risk  will  be  offset 
by  transferring  it  to  insurance  companies,  which 
will  want  to  ensure  they  accept  the  metrics  as 
well.  What  is  interesting  is  that  institutions  and 
large  insurance  companies  will  probably  use 
the  same  metrics  as  a  basis  for  offering 
cyberinsurance  to  non-[Basel  II]  regulated 


FORMER  CISO  FOR  MERRILL  LYNCH  AND  PRESIDENT  OF  SECURITY  RISK  SOLUTIONS 


companies.  There  are  only  three  things  you  can 
do  to  risk:  You  can  correct  it,  you  can  accept  it, 
or  you  can  accept  some  portion  of  it  and 
transfer  the  rest.  Insurance  companies  are 
nobody's  fools.  They  want  to  limit  exposure  and 
will  require  companies  to  have  effective  risk 
management  programs  and  to  document  them. 

Do  you  think  this  will  steer  companies  toward 
taking  more  of  a  risk  management  view  of 
security  in  general? 

Absolutely.  You’ll  see  more  of  a  risk  manage¬ 
ment  view  across  the  entire  spectrum.  It  has  to 
be  a  risk  management  issue  not  a  security  issue. 
You’ll  also  see  operational  risk  management 
committees  set  up  on  the  boards  of  directors 
similar  to  audit  committees.  They’ll  make  sure 
that  there  is  a  [a  risk  management]  program 
in  place. 


Though  the  implementation  date  is  a  ways  off, 
are  there  preparations  CSOs  should  be 
making? 

The  accord  will  be  finalized  in  2004  or  2005. 
You’ll  see  regulators  draft  guidance  documents 
and  submit  them  for  comment.  CSOs  should 
look  at  a  couple  of  things:  The  Enron  Act  [a.k.a. 
The  Sarbanes-Oxley  Act  of  2002],  which 
requires  the  chairman  of  the  board  to  sign 
off  on  [financial  statements],  CSOs  should 
also  consider  the  implications  of  having 
the  chairman  and  the  CEO  sign  off  on  the 
operational  risks.  The  CEO  is  signing  off  on 
technical  risks,  and  from  a  security  perspective, 
many  CSOs  are  being  required  to  do  the  same. 
In  looking  at  the  responsibility  for  both  cyber- 
and  physical  security,  the  ball  is  very  much  in 
the  CSO’s  court— especially  with  business 
continuity  planning.  ■ 


16  www.csoonline.com  March  2003 


PHOTO  BY  STEVEN  VOTE 


IMPOSSIBLE  TO  FORGET 
DIFFICULT  TO  LOSE. 
AND  YOU  DON’T 
EVEN  HAVE 
TO  PUT  A 

NUMBER  IN  j|||g||| 
THE  MIDDLE.  wmS^M 


Biometric  user  identification  that  reduces 


downtime  from  lost  passwords,  without  compromising  security. 


Touch  Pass1'  Biometric  Security  System 


Only  from  NEC  Solutions  America 


http://info.necsolutions-am.com/tp5 
888  632  8701. 


Empowered  by  Innovation 


NEC-arid  Touch  Pass  are  registered  trademarks,  and  "’Empower*  tS  by  rnhovatraiv'  i>  a  hYKteranf-k  n  t  N.L  C,  Corporation 
and/dr  one  dr  more.  of  its  subsidiaries*  All  are  under'  l  icense.  y'2003  N  EC  Solutions'  'CAiiiFr'icaJ,.  I  nc:.. 


Cold,  Hard  Drive  Facts 


DATA  RECOVERY  Better  think  twice 
before  you  give  your  hard  drive  away.  Accord¬ 
ing  to  a  new  study  by  two  MIT  grad  students, 
companies  are  frequently  selling  or  giving 
away  old  computer  disk  drives  with  sensitive 
information  still  on  them. 

The  study,  which  is  detailed  in  the  report, 
“A  Remembrance  of  Data  Passed:  A  Study  of 
Disk  Sanitization  Practices,”  analyzed  158 
disk  drives  purchased  through  eBay,  at  com¬ 
puter  stores  and  salvage  companies. 

The  data  retrieved  included  detailed  per¬ 
sonal  and  corporate  financial  records,  med¬ 
ical  records,  and  personal  e-mail,  according 
to  MIT  grad  student  Simson  Garfinkel  (a  con¬ 
tributor  to  CSO),  who  conducted  the  study 
with  Abhi  Shelat. 

Financial  log  files  on  one  drive  yielded 
what  appeared  to  be  2,868  credit  card  num¬ 
bers  in  addition  to  bank  account  numbers, 
dates  of  transactions  and  balances.  The  stu¬ 
dents  think  the  drive  came  from  an  ATM  in 
Illinois  and  that  no  effort  was  made  to  remove 


the  financial  information  prior  to  resale. 

The  recovered  data  problem  stems  from 
failures  on  the  part  of  computer  vendors  and 
consumers  alike.  Companies  such  as 
Microsoft  are  guilty  of  misrepresenting  their 
products’  "file  delete"  and  "disk  format” 
features,  according  to  Garfinkel. 

Casual  computer  users  often  assume  that 
such  features  permanently  delete  the  data 
stored  in  a  file  from  the  disk  drive.  Instead, 
most  simply  change  the  data  to  indicate  that 
the  file  has  been  deleted,  then  mark  the  areas 
of  the  hard  disk  that  contain  the  “deleted” 
data  as  being  available  for  reuse  by  other  pro¬ 
grams.  Assuming  that  data  is  not  overwritten, 
it  remains  and  can  be  retrieved  using  simple 
Unix  commands  or  free  commercial  forensic 
software  tools,  Garfinkel  says. 

Operating  system  vendors  should  include 
software-based  tools  that  securely  delete  files 
and  sanitize  the  disk  space  they  leave  behind, 
the  report  says.  The  manufacturers  of  disk 
drives  should  also  embrace  existing  technolo- 


/*+  /O 

of  the  hard  drives  sold  or  given 
away  contain  data  that  can  be  easily 
recovered  and  read. 

36% 

of  those  hard  drives  have  been 
reformatted  but  still  contain  old 
data  that  can  be  recovered. 

SOURCE:  M.l.T.  STUDY,  “A  REMEMBRANCE  OF  DATA  PASSED: 
A  STUDY  OF  DISK  SANITIZATION  PRACTICES" 


gies  such  as  cryptographic  subsystems  that 
encrypt  information  using  a  secret  key  as  it  is 
written  to  the  hard  disk  and  decrypt  it  when 
it  needs  to  be  viewed. 

In  the  meantime,  organizations  need  to 
adopt  consistent  policies  to  sanitize  hard 
drives  that  are  sold,  destroyed  or  reused. 

-Paul  Roberts 

For  more  on  how  information  is  stored  on  hard  drives, 
read  “Tools  of  Evidence,"  Machine  Shop,  Page  51. 


I’ll  See  Your  Website  in  Court 


LEGAL  MATTERS  The  whole  world  really  is  taking  note 
of  what  you  post  online.  A  December  ruling  by  the  High  Court 
of  Australia  found  that  a  story  published  by  Dow  Jones  &  Co. 

on  a  U.S.-hosted  website  can  be  grounds  for  a  defama¬ 
tion  lawsuit  in  Australia.  The  suit  was 
brought  by  Australian  mining  magnate 
Joseph  Gutnick  over  the  Internet  version 
of  an  article  titled  “Unholy  Gains”  in 
Dow  Jones’s  Barron’s  magazine. 

Gutnick  filed  the  suit  in  the  Supreme 
Court  of  his  home  state  of  Victoria  in 
Australia,  saying  that  the  article’s 
appearance  on  the  Internet  enabled  it 
to  be  accessed  by  people  in  Victoria, 
thereby  defaming  him  where  he  is 
best  known.  “The  torts  of  libel  and 
slander  are  committed  when  and 
where  comprehension  of  the 
defamatory  matter  occurs,”  agreed  the 
High  Court,  citing  several  precedents. 

Legal  experts  in  the  United  States  say  that  confusion  is  to  be 
expected  when  courts  with  limited  geographical  jurisdictions 


preside  over  legal  issues  resulting  from  content  on  a  borderless, 
worldwide  network  such  as  the  Internet. 

However,  companies  should  be  on  notice  that  publishing 
Internet  content  to  the  world  may  make  them  subject  to 
different  countries’  laws  in  the  same  way  that  exporting 
physical  products  does.  “We  don’t  cry  a  river  when  R.J. 
Reynolds  has  to  obey  different  countries’  laws  about  selling 
tobacco.  Why  should  we  cry  for  Dow  Jones?”  says  Jonathan 
Zittrain,  a  director  at  The  Berkman  Center  for  Internet  & 
Society  at  Harvard  Law  School. 

However,  Zittrain  notes  that  technological  developments 
in  online  distribution  will  soon  change  the  terms  of  future 
legal  battles  over  Internet  content  publication.  The  advent 
of  new  technologies  such  as  geo-location  tools  will  allow  pub¬ 
lishers  to  precisely  limit  the  reach  of  their  published  speech— 
thereby  also  limiting  the  potential  legal  risks. 

While  solving  the  thorny  jurisdictional  problems,  such 
technology  may  also  result  in  a  division  of  the  global  Internet 
into  separate  content  regions,  with  readers  in  Australia, 

China  and  the  United  States  all  getting  a  slightly  different 
take  on  the  same  information  from  the  same  publisher,  says 
Zittrain.  -P.R. 


18  www.csoonline.com  March  2003 


With  neuSECURE™,  industry-leading  software 
from  GuardedNet,  you  can  transform  those 
mountains  of  raw  security  event  data  into  what 
you  really  need  -  knowledge  to  help  you 
manage  your  organization’s  security  posture. 


neuSECURE-  threat  management  process 


Firewalls 

IDS 

Routers 

Op  Systems 

Applications 

Others 

neuSECURE  is  a  central  monitoring  system 
for  log  aggregation,  event  correlation,  threat 
analysis,  threat  response  and  forensic 
investigation  of  security  event  data  from 
firewalls,  IDS’,  hosts  and  routers.  neuSECURE 
facilitates  real-time  attack  detection  and 
response,  and  generates  a  wide  range  of 
reporting  options  for  operations,  management 
and  audit  compliance. 


mm 


• $ 


mm 


//m/m 


to r,  m 


fMi 


The  Who,  What  and  Why  of  Washington 


A  Homeland  Who’s  Who 

The  Department  of  Homeland  Security  is  staffing  up.  Here’s  a  look 
at  the  talent  pool.  By  Julie  Hanson 


RESIDENT  BUSH  IS  appoint¬ 
ing  leaders  to  run  the  new  Homeland  Security 
Department.  Included  in  those  appointments 
are  a  former  congressman  and  governor,  two 
former  presidents  of  a  major  military  supplier, 
and  a  corporate  CIO— a  diverse  mix  for  a 
department  whose  aim  is 
to  pull  together  the  technolo¬ 
gies  of  22  government  agen¬ 
cies  with  170,000  employees. 

The  most  familiar  appoin¬ 
tee  is  Tom  Ridge,  who  has 
been  formally  appointed  as 
secretary  of  the  Department 
of  Homeland  Security. 

Ridge’s  background  comes 
primarily  from  Capitol  Hill, 
where  he  served  six  terms  in 
the  House  of  Representa¬ 
tives  as  a  Pennsylvania  con¬ 
gressman  and  governor  for 
the  Keystone  state  from  1 995 
to  2001. 

Spearheading  the  technological  challenges 
is  Steven  Cooper,  the  former  CIO  of  materials 
pioneer  Corning.  Cooper  has  been  appointed 
CIO  of  Homeland  Security.  Prior  to  Corning, 
Cooper  was  director  of  corporate  IS  for  phar¬ 
maceutical  giant  Eli  Lilly. 

Jim  Flyzik,  former  senior  adviser  to  Ridge, 
previously  worked  with  both  Cooper  and 
Ridge,  and  diplomatically  calls  them  “wise 
appointments.”  According  to  Flyzik,  both 
Ridge  and  Cooper  will  work  well  with  the 
business  and  technology  communities. 

Flyzik  admits  that  differing  work  culture 
issues  and  the  diversity  of  the  Bush  appointees 
could  initially  make  things  difficult.  However, 
the  department  wall  be  a  merger  of  many  cul¬ 
tures,  and  a  diverse  leadership  team  is  neces¬ 
sary.  ‘This  is  a  momentous  challenge  for 
everyone,  and  I  think  it’s  going  to  take  a  mix  of 
talent.  Things  that  don’t  work  well  will  require 


some  tweaking.  It’s  going  to  take  years  to  get 
the  department  running  smoothly,”  Flyzik  says. 

Rounding  out  the  recent  appointments 
are  two  former  General  Dynamics  business 
unit  presidents.  Gordon  England,  who  also 
served  as  the  secretary  of  the  Navy,  was 
appointed  deputy  secretary  of  DHS,  and 

Charles  McQueary  was 
appointed  undersecretary 
of  science  and  technology 
for  Homeland  Security. 
General  Dynamics  is  a 
leading  supplier  of  defense 
systems  to  the  United 
States  and  its  allies;  it’s 
responsible  for  building 
jets,  warships,  tanks  and 
the  IS  technologies  behind 
military  equipment. 

Phil  Anderson,  senior 
fellow  in  the  international 
security  program  for  the 
Center  for  Strategic  and 
International  Studies,  thinks  the  president’s 
appointments  are  pretty  solid.  Anderson  says 
Ridge  has  the  leadership  skills  needed  to  pull 
this  department  together;  England  will  use  his 
connections  with  the  Department  of  Defense 
and  the  private  sector  to  marry  these  two  pow¬ 
ers;  Cooper  has  IT  experience  that  few  can 
rival;  and  McQueary  brings  rich  private  sector 
experience. 

“It’s  clear,  in  the  early  days  of  this  depart¬ 
ment  and  in  the  next  few  years,  that  the  key  to 
success  is  going  to  rely  on  leadership— on 
effective,  capable,  technically  competent 
leadership....  It  would  appear  that  the  govern¬ 
ment  is  moving  in  the  right  direction,”  says 
Anderson.  ■ 


For  WASHINGTON  UPDATES,  visit  Wonk  online  at 

www.csoonline.com/wonk. 


Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 

Sen.  Russell  Feingold  (D-Wis.)  intro¬ 
duced  The  Data-Mining  Morato¬ 
rium  Act  (S.  188),  which  proposes 
a  moratorium  on  data  mining  in  the  DoD 
and  the  Department  of  Homeland  Secu¬ 
rity  until  Congress  has  completed  a 
thorough  review  of  the  Total  Informa¬ 
tion  Awareness  (TIA)  program.  The 
controversial  TIA  program  allows  gov¬ 
ernment  to  mine  intelligence  and  per¬ 
sonal  data  of  civilians,  including  credit 
card  purchases,  medical  and  travel 
records,  and  any  information  collected 
on  commercial,  public  or  private  gov¬ 
ernment  databases. 

The  Federal  Trade  Commission  re¬ 
ported  identity  theft  complaints 

accounted  for  43  percent  of  complaints 
lodged  in  2002.  Last  year,  consumers 
claimed  that  they  lost  $343  million  due 
to  fraud,  more  than  double  the  losses 
reported  in  2001.  The  FTC  has  devel¬ 
oped  an  online  source  for  information 
on  how  to  avoid  and  report  identity 
theft  at  www.consumer.gov/idtheft. 

Sen.  John  Edwards  (D-N.C.)  introduced 
the  National  Cyber  Security  Lead¬ 
ership  Act  (S.  187),  which  asks  the 
CIO  of  each  government  agency  to  iden¬ 
tify  significant  vulnerabilities  in  his 
department,  and  procure  or  develop 
tools  to  eliminate  them.  This  act 
requires  the  National  Institute  of  Stan¬ 
dards  and  Technology  to  review  annual 
reports  submitted  by  an  agency  in  the 
first  year  after  this  bill’s  enactment. 

Senate  Communications  Subcommittee 
Chairman  Conrad  Burns  (R-Mont.) 
announced  his  top  priorities  for  the 
108th  legislative  session.  Burns  has 
called  these  top  10  items  the  Burns 
NexGenTen  Tech  Agenda.The  list 
includes  spam  reduction,  E-911  devel¬ 
opment,  broadband  expansion,  ICANN 
reform,  wireless  privacy,  online  privacy, 
and  digital  equality  between  the  United 
States  and  Asia. 


20  www.csoonline.com  March  2003 


PHOTO  LEFT  BY  RON  HOLTZ;  TOP  BY  GETTYONE 


PAYMENT  SERVICES 


WEB  PRESENCE  SERVICES 


TELECOMMUNICATION  SERVICES 


SECURITY  SERVICES 


'Cheskin/Studio  Archetype  Study  ©  2002  VeriSign,  Inc  All  rights  reserved  VenSign,  the  VenSign  logo,  The  Value  of  Trust,  and  other  trademarks,  service  marks,  and  logos  are  registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries 


Want  your  customers  to  feel  confident  about  e-commerce? 


Give  them  a  sign. 


The  VeriSign®  Secure  Site  Seal  is  the  #1  sign  of  trust  on  the  Internet.1  Recognized  as  a  symbol  of  online  integrity  and  security  -  the  VeriSign 
seal  is  used  by  more  e-commerce  sites  than  any  other  Digital  Trust  mark.  In  2002,  online  sales  increased  substantially.  Isn't  it  time  to  encourage 
your  customers'  confidence  in  shopping  online,  and  more  importantly,  buying  online  by  posting  the  VeriSign  seal?  To  learn  more,  get  a  free  copy 
of  the  guide,  "Securing  Your  Web  Site  For  Business,"  by  visiting  http:/  /www.verisign.com/dm/freeguide/072  or  calling  1-866-893-6565. 


VeriSign 


The  Value  of  Trust 


Office  in  each  state  maintains  a  cybercrime  contact. 

It  will  put  you  in  touch  with  the  right  law  enforcement 
organization. 


Law  and  Order  in  a 
Networked  World 

Jeffrey  Bedser,  COO  of  infosec  threat-management 
company  ICG,  answers  readers’  cybersecurity  questions 

Q:  What  approaches  do  you  recommend  for  cost-justifying  anticybercrime 
measures  in  the  corporate  world? 

A:  I  have  found  that  many  boards  tend  to  react  more  favorably  to  data  that 
demonstrates  the  whole  picture  in  terms  of  cyberloss.  Take  a  look  into  what 
areas  the  company  does  business,  and  where  they  are  impacted  by  connectivity 
to  the  cyberworld.  Are  there  Internet  gray  market  losses?  Any  losses  to  credit 
card  fraud?  Public  relations  damage? 

Internet  stock  manipulation?  Loss  of 
proprietary  data?  Pending  litigation? 

Who  in  the  Internet  community- 
activists,  hactivists,  competitors,  former 
employees,  employees,  identity  thieves, 
geopolitical  entities,  foreign  govern¬ 
ments,  terrorists— has  any  interest  in 
causing  you  cyberharm?  (You  can  always 
add  the  cost  of  any  known  cybersecurity 
breaches  at  this  point.)  Ranking  those 
threats  and  putting  dollar  signs  to 
them  will  show  the  impact  on  company 
revenue. 

I  do  see  many  companies  outsourcing 
this  process  to  consultants.  That  hap¬ 
pens  for  three  reasons:  limited  time  and 
labor  resources,  limited  domain  knowl¬ 
edge  and  less  exposure  to  the  impact 
of  bad  news. 


Q:  In  what  case  is  my  company  legally  obligated  to  report  a  security  incident  to 
the  authorities? 

A:  My  best  answer  would  be  that  when  you  know  a  crime  has  been  committed 
you  are  ethically  obligated  to  report  it.  The  real  question  is  to  what  legal 
authority  should  it  be  reported. 

A  major  facet  of  cybercrime  is  that  in  most  cases  it  transcends  geopolitical 
boundaries.  Thus,  making  the  call  on  my  jurisdiction  can  be  a  tough  one.  It  can 
also  be  complicated  by  the  nuances  of  which  law  enforcement  entity  is  char¬ 
tered  to  deal  with  this  particular  infraction. 

I  have  had  the  best  success  within  the  boundaries  of  the  American  justice 
system  by  going  straight  to  the  U.S.  Attorney’s  Office  for  referral  of  criminal 
matters.  While  not  all  crimes  fall  into  this  jurisdiction,  the  U.S.  Attorney’s 


Q:  Given  all  the  investment  in  defensive  measures,  are 
companies  generally  less  prone  to  serious  cybercrime 
than  they  were,  say,  two  years  ago?  If  no,  why  not? 

A:  Most  investments  during  the  past  two  years  (accord¬ 
ing  to  most  surveys  I  keep  up  with  and  have  seen)  indi¬ 
cate  that  the  spending  on  cybercrime  prevention  has 
been  through  technology  that  faces  outward.  This 
means  technologies  that  protect  the  organization  from 
the  threats  that  lie  outside  of  the  firewall.  While  this  is  a 
good  practice  and  a  necessary  measure,  it  is  the  tip  of 
the  iceberg. 

The  majority  of  studies  into  the  damages  that 
organizations  have  had  from  cybercrime  incidents  show 
that  anywhere  from  70  percent  to  90  percent  of  inci¬ 
dents  originated  internally.  This  may  be  an  employee, 
or  a  former  employee  with  active  root-access  privileges 
to  his  former  employer’s  network.  The 
financial  impact  is  directly  tied  to  a 
failure  to  implement  internal  controls 
and  a  security  policy  that  could  have 
prevented  the  damages  from  ever 
happening. 

In  direct  answer  to  your  question, 
companies  are  more  prone  to  cyber¬ 
crime  incidents  now  than  they  were 
two  years  ago  for  the  following 
reasons:  the  security  measures  that 
have  been  implemented  are  not 
designed  to  protect  against  the  high¬ 
est  threat  level,  and  the  threats  that 
target  organizations  are  dynamic  and 
in  real-time.  Do  not  for  a  moment 
believe  that  you  can  rest  on  your 
laurels. 

Cybersecurity  is  a  task  that 
requires  constant  vigilance.  Every 
new  security  measure  has  two  to  three  exploits  being 
developed  (not  to  the  specific  security  measure,  but  to 
the  network  as  a  whole). 

The  only  measure  that  will  truly  reduce  your 
exposure  to  cybercrime  losses  is  constant  vigilance, 
and  a  holistic  approach  to  your  organization’s 
vulnerabilities.  ■ 


<  Have  a  security  topic  to  suggest  or  an  expert  you'd  like  to 
hear  from?  Send  comments  to  Assistant  Managing  Editor 
Kathleen  Carr  at  kcarrificxo.com.  Go  online  to  see  what  your 
peers  are  discussing  at  www.csoonline.com/counsel. 


22  www.csoonline.com  March  2003 


PHOTO  BY  EDWARD  SANTAIONE 


BUSINESS  TRIVIA  QUESTION 


Number  28 


,  --c  ~r  C:  '  -  B 

I 

•  ..  g§ v,: ?  I  v.  };v;  .  . : ■  -  gt 

ft 

Which  company  handles 

over  7  billion  network  connections  I 

per  day? 

□  (a)  VeriSign 

□  (b)  VeriSign 

□  (c)  VeriSign 

□  (d)  All  of  the  above 

II 
S| 


Surprised?  Perhaps  you  also  didn't  know  that  VeriSign  processes  over  3.7  billion  dollars  worth  of  secure  transactions 
per  quarter.  Truth  is, VeriSign  has  spent  the  last  seven  years  building  a  secure  infrastructure  for  the  Internet.  We'd  like 
to  do  the  same  for  your  business. VeriSign  can  help  you  deploy  a  trusted  infrastructure  so  you  can  conduct  secure 
communications  and  transactions.  So  your  business  can  start  making  a  few  billion  transactions,  too.  y 

Learn  all  you  need  to  know  about  infrastructure  security  -  and  how  VeriSign's  managed  network  and  security  solutions  ^CriSigJX 
can  help  you  -  by  downloading  our  new  white  paper:  Cyber  Security  in  the  Age  of  Action.  Visit  www.verisign.com/security  The  value  of  Trust- 


■  PAYMENT  SERVICES  ■  TELECOMMUNICATION  SERVICES  ■ 

■  NETWORK  AND  SECURITY  SERVICES  ■  WEB  IDENTITY  SERVICES  N 


©  2002  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  and  other  trademarks,  service  marks,  and  logos  are 
registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries. 


They  are  difficult  to  dismantle  because  they  hide 
their  problems.  For  companies  looking  to  assimilate 
a  target  or  augment  their  own  company  by  adding  a 
subsidiary,  this  group  will  work  fine. 


Merger  Mambo 

Mergers  can  make  a  mess  of  security.  Here  are  some 
suggestions  for  guiding  your  organization  through  the 
confusion.  By  David  H.  Holtzman 


3.  Check  the  likeliest  problem  areas. 

Start  by  validating  key  assumptions  made  by  the  M&A 
team.  If  the  other  company  is  going  to  be  dismantled, 
focus  on  the  parts  that  you’re  really  buying.  If  they’re  to 
be  assimilated,  probe  across  the  breadth  of  the  organiza¬ 
tion.  If  it’s  an  augmentation  play,  ask  them  for  a  briefing 
on  their  organization  and  then  see  whether  they’ve  por¬ 
trayed  themselves  accurately. 


VERY  DEAL  HAS  ITS  OWN  rhythm,  energizing  its  executives 
into  purposeful  activity.  But  the  dirtiest  dance  of  all  is  an  acquisition.  It  begins  with 
a  tentative  waltz  and  grinds  into  a  maniacal  merengue.  That’s  when  security  has 
to  cut  in  without  disrupting  the  beat. 

During  the  past  decade  or  so,  I’ve  been  involved  in  several  mergers  and  acqui¬ 
sitions— some  worth  billions  of  dollars— and  I’ve  made  an  observation:  No  mat¬ 
ter  how  big  the  deal  is,  if  it’s  going  to  happen,  it  will  happen  fast.  Keeping  that  in 
mind,  I’ve  come  up  with  a  security  cheat  sheet 
for  abbreviated,  yet  meaningful,  due  diligence. 


1.  Find  out  why  you’re  really  buying 
the  company. 

There  are  three  reasons  why  these  deals  hap¬ 
pen.  Either  you’re  going  to  dismantle  the  com¬ 
pany  for  its  parts,  assimilate  it  as  a  profit  and 
loss  center,  or  augment  your  organization  by 
adding  the  company  as  a  subsidiary.  Knowing 
which  path  you’re  on  is  the  key  to  spending 
your  time  wisely. 


2.  Look  for  culture  clash. 

If  incompatible  security  styles  become  tangled, 
they  can  bring  the  party  to  a  crashing  halt.  In 
my  experience,  that  has  been  the  biggest  prob¬ 
lem.  Some  of  the  characters  that  may  require 
careful  assimilation  are: 

■  The  ex-military,  ex-intelligence  types.  Their 
hallmark  is  a  pyramidal  organization  chart 
and  well-documented  processes.  This  is  an  ideal  culture  for  companies  look¬ 
ing  to  augment  current  security  services. 

■  NT  shops.  Their  security  function  is  probably  integrated  into  the  IT  department 
and  layered  on  top  of  Windows.  This  group  is  a  good  candidate  for  disman¬ 
tling,  but  like  a  cautious  shopper,  CSOs  should  thoroughly  check  out  what 
they’re  buying.  It’s  easy  to  force  assimilation  by  appointing  a  new  alpha  male 
and  thinning  the  herd,  but  this  group  is  a  weak  choice  for  augmentation. 

■  Unix  fanatics.  Their  slogan  is:  “If  it’s  documented,  it’s  not  important;  if  it’s 
important,  it’s  not  documented.”  These  types  are  lousy  candidates  for  dis¬ 
mantling  because  they’ll  fight  every  step  of  the  way. 

■  Security  teams  that  report  to  finance.  Their  primary  function  is  to  look  flashy 
for  upper  management  and  to  fast-talk  their  way  through  security  problems. 


4.  Document  your  findings  in  a  report. 

Keep  it  short.  Avoid  speculation,  criticism  and  weaselly 
wording.  While  you’re  writing  it,  think  about  how  it  might 
look  as  evidence  in  a  lawsuit.  Begin  by  restating  the  purpose 
of  the  acquisition,  followed  by  a  characterization  of  the 
other  company’s  security  environment,  the  biggest  problem 

area  that  you  see  and  a  short 
discussion  of  hidden  benefits 
and  possible  pitfalls.  Conclude 
with  a  recommendation  of 
areas  for  deeper  digging. 


5.  Close  the  loop  with 
the  target  company. 

A  little  courtesy  goes  a  long 
way.  If  you  don’t  contact  them, 
no  one  else  will.  Don’t  make 
any  promises  and  avoid  dis¬ 
cussing  any  specific  problems. 
But  a  simple  phone  call  can 
earn  you  a  lot  of  goodwill. 

Security  is  about  choreo¬ 
graphing  a  routine  into  a  styl¬ 
ized  art  form.  The  dedicated 
CSO  should  not  decline  to 
dance  nor  blindly  follow  his 
partner’s  lead.  He  should  take 
a  deep  breath,  move  to  the  beat  and  keep  the  best  inter¬ 
ests  of  corporate  security  as  his  focus— all  of  this  while  try¬ 
ing  not  to  step  on  any  toes.  ■ 


David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david@globalpov.com.  Send  feedback  and 
column  ideas  to  Senior  Editor  Daintry  Duffy  at  dduf1y@cxo.com. 


For  more  on  the  tricky  topic  of  managing  security  through  a  merger  or 
acquisition,  see  Simone  Kaplan’s  article  “Mix  Masters,"  Page  38. 


24 


www.csoonline.com  March  2003 


ILLUSTRATION  BY  PEP  MONTSERRAT 


i.  \ 


i'- 

&K: 


■  ■.  -•T-’i.  ...'i 

«&&>•? 

rBiPtffltfVt*  x;,  -  •• 

■i  '  :■  -v'  -T'i; 


Network  Security  Engineers  are  a  phone  call  away. 

To  keep  your  business  competitive,  you  need  the  right  IT  talent  at  just  the  right  time. 

With  more  than  100  locations  worldwide,  Robert  Half  Technology  is  a  leading  provider  of: 

•  Network  Security  Engineers  •  Network  Administrators 

•  Programmers  •  Database  Administrators 

•  Web  Developers  •  And  other  Technology  Professionals 

•  Help  Desk  Professionals 

With  our  exceptional  connections  to  the  best  technology  talent  available,  we’ll  do  more  than  provide 
cost-effective  solutions  to  your  needs  -  we’ll  do  it  exactly  when  you  need  it. 


... 


High-speed  . 
td  High- 


■  ...  :■  ..  ■■  ! 

•  v.'i'i"  v-aV. 


Call  today! 


800.793.5533  roberthalftechnology.com 


® 

RH 


ROBERT  HALF® 

TECHNOLOGY 

Information  Technology  Professionals SM 


©  Robert  Half  Technology.  E0E 


my 


MARK  CHEVIRON,  corporate  VP  and 
director  of  corporate  security  and 
services  for  Archer  Daniels  Midland, 
believes  that  “travelers  expect 
more  from  the  company  in  terms 
of  security  intelligence— and  so 
do  their  families.” 


Cover  Story 


Foreign  travel  and  expatriate  postings  can  sometimes  turn  ugly. 
CSOs  are  sworn  to  keep  employees  out  of  harm’s  way  when 
they’re  on  the  road.  Chosen  carefully  and  used  wisely,  travel 
risk  services  can  offer  an  extra  margin  of  safety. 

BY  DAiNTRY  DUFFY 


T  THE  ANNAPOLIS  MALL,  SHOPPERS  ARE 

braving  the  Christmas  rush.  With  only  five  shopping  days 
left,  tempers  flare  over  the  usual  holiday  headaches— 
“stolen”  parking  spaces,  endless  lines  and  out-of-stock 
merchandise.  But  across  the  street  from  the  mall,  in  a 
squat  nondescript  building  that’s  home  to  a  company 
called  iJet,  a  group  of  analysts  (most  with  military  or 
three-letter-agency  backgrounds)  calmly  tracks  a  dozen 
hot  spots  around  the  world.  And  the  pack  of  increasingly 
harried  mothers  at  KB  Toys  isn’t  even  a  blip  on  the  group’s 
screens. 

In  the  Democratic  Republic  of  Congo,  a  stampede  fol¬ 
lowing  a  stadium  concert  kills  four  people 
and  injures  30.  Police  in  Jammu  and  Kash¬ 
mir,  India,  are  on  high  alert  after  a  Delhi 
court  sentences  three  people  to  death  for  a 
December  2001  attack  on  parliament.  In 
Venezuela,  instability  is  growing  as  a  gen¬ 
eral  strike  continues  into  a  second  week, 


accompanied  by  street  protests  in  Caracas  and  other  cities. 
In  Italy,  a  series  of  bomb  threats  raise  speculation  of  a  ter¬ 
rorist  event  in  coming  days;  and  in  Spain,  a  shootout 
between  Basque  separatists  and  policemen  kills  one  officer 
and  wounds  another.  At  iJet’s  Maryland  headquarters,  the 
mission  is  not  only  to  monitor  and  push  out  updates  on 
those  events  but  to  go  beyond  the  often  alarming  headlines 
and  make  sense  of  world  events  for  its  customers— corpo¬ 
rate  security  officers  who  depend  on  this  intelligence  to 
protect  their  people  and  interests  in  far-flung  locations. 
It’s  a  service  that  has  taken  on  new  meaning  post-Sept. 
11th— one  that  companies  increasingly  find  themselves 
incapable  of  performing  on  their  own.  “I 
can  watch  CNN,  but  what  I  want  to 
know  is  how  a  situation  will  affect  my 
people,”  says  Mark  Cheviron,  corporate 
vice  president  and  director  of  corporate 
security  and  services  for  Archer  Daniels 
Midland  (ADM),  which  has  employees 


In  This  Story:  How  third- 
party  services  can  help  keep 
your  employees  safe  over¬ 
seas  ■  Tips  for  getting  the 
most  from  such  services 


www.csoonline.com 


March  2003 


PHOTO  LEFT  BY  JEFF  SCIORTINO 


RIGHT  BY  GETTY  IMAGES 


Security  Abroad 


in  more  than  70  countries. 

Few  parts  of  the  world  are  immune  from 
terrorism.  Political  instability  plagues  a  num¬ 
ber  of  formerly  peaceful  regions.  As  a  result, 
fewer  companies  are  willing  to  indulge  in 
speculative  business  ventures  outside  of  the 
United  States.  However,  some  companies 
have  no  choice.  Those  whose  success  depends 
on  exploiting  international  markets  have  to 
forge  ahead  despite  the  dangers.  For  many 
there  is  a  distinct  business  advantage  to  be 
gained  by  having  in  place  the  travel  intelli¬ 


negotiate  sweet  deals  on  raw  materials  be¬ 
cause  it  is  willing  and  able  to  take  the  risk. 

There  are  a  number  of  players  in  the  area  of 
travel  risk  management:  iJet  (which  is  allied 
with  security  behemoth  Kroll),  Pinkerton  and 
the  U.K.-based  Control  Risks  Group  are 
among  the  leaders.  Each  provides  some  com¬ 
bination  of  a  pushed  information  service  (con¬ 
sisting  of  updates  and  prognostication)  with 
in-depth  reporting  on  specific  regions  and 
round-the-clock  access  to  experts  who  can 
advise  travelers  in  emergencies.  What  benefits 


gence  and  security  framework  necessary  to 
protect  employees  who  venture  into  unstable 
areas.  One  of  iJet’s  clients,  a  Midwestern 
supermarket  chain,  regards  the  company’s 
Travel  Intelligence  service  as  a  competitive 
asset.  The  grocery  chain  still  sends  buyers  into 
areas  of  South  Africa  and  South  America  to 
find  fruit,  vegetables,  clothing  and  shoes  for  its 
stores.  Since  many  other  companies  have 
withdrawn  from  those  regions,  the  chain  can 


can  such  services  offer  a  global  security  organ¬ 
ization?  How  do  you  get  those  benefits?  And 
how  should  you  select  the  right  provider? 

COOLING  DOWN  THE  HOT  SEAT 

ompanies  and  their  officers  have  the 
responsibility  (or  “duty  to  care”)  for  employees’ 
safety'  from  the  moment  they  leave  on  a  busi¬ 
ness  trip  until  they  return.  Each  unprotected 
traveler  or  expatriated  employee  poses  a  sig¬ 


nificant  liability  to  which  boards  of  directors 
and  CEOs  are  increasingly  attuned.  “Employee 
expectations  have  changed  as  well,”  says  Chev- 
iron.  “Expats  and  travelers  expect  more  from 
the  company  in  terms  of  security  intelligence— 
and  so  do  their  families.” 

When  questions  of  employee  safety  arise, 
it’s  usually  the  CSO  who  ends  up  in  the  hot 
seat.  Companies  such  as  iJet  have  found  this 
reality  to  be  a  helpful  sales  stimulus.  “When 
the  chairman  of  the  board  calls  the  global 
security  director  and  says,  ‘Holy  Hell!  I  just 
heard  about  the  bombing  in  Bali.  Do  we  have 
any  employees  there?’  And  you’ve  got  the  secu¬ 
rity  guy  saying,  ‘What  bombing?’  or  ‘I  don’t 
know',  I’ll  get  back  to  you  later  today,’  that’s  the 
wrong  answer,”  says  iJet  CEO  Bruce  Mclndoe. 
The  most  acute  pain  point  for  a  CSO  is  not 
being  in  the  know,  and  it’s  this  knowledge  gap 
that  travel  risk  companies  target. 

At  the  core  of  iJet’s  services  is  a  platform, 
called  Worldcue,  that  integrates  all  the  differ¬ 
ent  databases  on  traveling  and  expat  employees, 
providing  stakeholders  within  the  corpora¬ 
tion— from  the  CSO  and  HR  department  to 
the  chief  risk  officer,  travel  manager  and  cor¬ 
porate  medical  personnel— with  a  quick,  con¬ 
cise  picture  of  exactly  where  in  the  world  every 
employee  is.  Employees’  profiles  are  combined 
with  their  itineraries  and  plugged  into  iJet’s 
Worldcue  database.  That  database  contains 
everything  from  constantly  updated  travel  advi¬ 
sories  to  information  on  weather,  culture,  local 
contacts  and  security  precautions  for  all  regions 
of  the  world.  Regional  and  subject  matter 
experts  (category  analysts)  constantly  scour 
websites,  newspapers,  TV  reports  and  stream¬ 
ing  video  feeds,  and  receive  updates  from 
sources  on  the  ground  to  keep  data  current.  In 
addition  to  security  matters,  iJet’s  analysts 
weigh  other  factors  that  could  significantly 
impact  travel  (including  issues  related  to  local 
health,  transportation,  communication,  envi¬ 
ronment,  culture  and  language). 

Jerry  Scott  is  president  of  Baseops  Interna¬ 
tional,  a  travel  logistics  company  that  provides 
flight  support  services  for  many  Fortune  500 
corporations.  Baseops  subscribes  to  iJet’s 
Country  Intelligence  Briefs  for  international 
travel  into  potentially  dangerous  regions  and 
provides  this  information  to  its  clients.  Scott 
says  the  briefs  help  clients  protect  themselves 
in  places  like  Central  and  South  America, 


28  www.csoonline.com  March  2003 


PHOTO  BY  CHRIS  HARTLOVE 


f  . . . .  “  ■  --------- 

!IF  THERE’S  NO  HELP  AT  HAND,  YOU’LL  NEED  TO  FALL  BACK  ON  YOUR 
bWN  RESOURCES 


[Even  strapping  executive  hunks  who  go 
Ito  the  dojo  twice  a  week  can  freeze  up 

I 

when  faced  with  real  violence.  And  there 

I 

[isn’t  always  time  to  call  a  hotline  for 
jadvice.  For  that  reason,  companies  may 
[choose  to  send  executives  bound  for 
[dangerous  regions  to  get  security  training. 

I 

Crucible,  the  protective-services  division 
[of  Kroll,  specializes  in  helping  corporate 
travelers  cope  with  the  realities  of  poten¬ 
tially  violent  situations. 

[  It’s  a  curriculum  that  many  travelers 

I 

jneed  and  very  few  get,  according  to  Jack 
[Stradley,  Crucible's  managing  director. 
!“My  gut  sense  is  that  less  than  one  in  10 
[travelers  get  any  preparation  or  training,” 
[he  says.  “Most  Americans  are  so  happy- 

I 

jgo-lucky.  [Their  attitude  is]  why  would 
[anyone  want  to  hurt  me?” 

Crucible’s  aim  is  to  train  students  to 
[recognize  the  signs  of  possible  trouble 
land  to  equip  them  with  the  skills  to  defuse 
'it.  Seminars  range  from  a  half-day  basic 
[introduction  to  personal  security  protec¬ 
tion  to  more-detailed  courses  covering 
[unarmed  combat,  firearms  training, 
[surveillance  detection,  abduction, 


antiterrorism  and  evasive  driving.  In 
the  full-day  sessions,  executives  tussle 
with  mock  assailants  and  work  through 
scenarios  that  show  how  easily  they  can 
be  compromised  and  how  to  recognize 
that  they  have  been  targeted.  The  atten¬ 
dees  also  receive  some  weapons  training. 
“You'd  be  surprised  how  many  executives 
have  never  handled  a  weapon,”  says 
Jeff  Schlanger,  COO  of  Kroll’s  Security 
Services  Group.  “They  don’t  understand 
that  there’s  a  safety,  how  easy  it  is  for 
[a  gun]  to  go  off,  and  how  difficult  it  is 
for  the  average  Joe  to  hit  a  human  at 
15  feet.” 

In  many  countries,  locals  will  bait 
American  travelers,  making  sexual,  racial 
or  political  comments  to  try  to  provoke 
a  reaction.  Stradley  walks  his  students 
through  these  scenarios,  teaching  them 
to  act  quickly  to  defuse  the  situation  (even 
if  only  by  walking  away)  before  it  esca¬ 
lates.  “If  I’m  20  feet  away  [from  an  antag¬ 
onist],  I  can  take  action,”  he  says.  “But  if 
I  let  [it  get]  to  the  point  where  I  have  been 
physically  assaulted,  then  I  have  far  fewer 
options.”  -D.D. 


where  kidnapping  is  a  concern,  and  avoid  some 
of  the  cultural  pitfalls  that  travelers  can 
encounter  in  various  parts  of  the  world.  “Hav¬ 
ing  an  understanding  of  your  host,  their  culture 
and  customs  is  just  good  business,”  says  Scott. 
For  example,  while  Scott  is  not  a  coffee  drinker, 
he  will  accept  coffee  when  it’s  offered  in  the 
Middle  East  in  order  to  avoid  insulting  his 
hosts  and  business  partners.  Although  this 
kind  of  information  might  seem  more  perti¬ 
nent  to  tourists  planning  vacations  (and  iJet 
markets  to  that  segment  as  well),  almost  any 
destabilizing  element  can  affect  the  security 
of  a  traveler.  A  basic  grasp  of  the  culture,  cus¬ 
toms  and  behavioral  quirks  of  a  given  country 
can  keep  employees  from  offending  the  wrong 
person  or  being  surprised  by  an  unexpected 
turn  of  events.  In  areas  of  Southeast  Asia  and 
Central  America,  for  instance,  a  severe  storm 
is  more  than  a  travel  nuisance.  In  the  wake  of 
a  flood  or  mud  slide,  poorer  areas  may  go  days 
or  weeks  without  power,  food  supplies  and 
shelter,  a  situation  that  can  lead  to  civil  unrest. 

The  information  gathered  by  i Jet’s  analysts 
is  presented  and  accessed  in  various  ways.  Cor¬ 
porate  security  officers  get  an  e-mail  brief  each 
morning,  updating  them  on  the  latest  intelli¬ 
gence  from  around  the  world  (travelers  can 
access  Worldcue  themselves,  either  through 
iJet’s  website  or  their  own  intranets).  CSOs 
can  also  have  alerts  of  breaking  events  sent  to 
their  e-mail,  pager  or  cell  phone.  Alerts  are 
classified  as  either  “informational”  (situational 
awareness— requiring  no  immediate  action), 
“warning”  (indicating  a  possible  impact  on 
travel)  or  “critical”  (reserved  for  severe  situa¬ 
tions,  such  as  an  imminent  typhoon  or 
impending  coup).  Of  the  400  to  500  alerts 
that  go  out  each  month,  less  than  3  percent  of 
them  are  classified  as  critical. 

Worldcue  also  provides  an  employee-locator 
feature  based  on  trip  dates,  destinations,  air¬ 
ports,  airlines  or  flight  numbers.  In  the  event 
of  a  plane  crash,  a  CSO  could  know  within 
minutes  whether  any  employees  were  booked 
on  the  flight,  and  if  so,  how  to  get  in  touch 
with  those  employees  or  a  designated  emer¬ 
gency  contact.  (Because  of  the  number  of 
impacted  flights,  Sept.  11th  presented  an 
unusually  complex  situation.  On  that  day, 
ADM  had  450  employees  traveling  outside  the 
country.  “Within  two  hours  we  knew  where 
everyone  was,”  says  Cheviron.) 


TURNING  DATA  INTO  ACTION 

n  encyclopedic  grasp  of  obscure  current 
events  and  a  sure  knowledge  of  every  em¬ 
ployee’s  travel  information  might  impress  exec¬ 
utive  management,  but  deciphering  what  it  all 
means  for  a  company’s  operations  is  another 
matter  entirely.  While  some  vendors  excel  at 
providing  reams  of  detailed  information,  CSOs 
need  to  put  it  in  perspective.  At  Control  Risks 
Group  (CRG)  based  in  London,  Research 
Director  for  Information  Services  Jake  Strat¬ 
ton  directs  an  organization  whose  goal  is  to 
bring  clarity  to  potentially  dicey  situations.  At 
times  when  client  companies  and  their 
employees  might  panic  and  be  tempted  to 
decamp,  says  Stratton,  the  analysts’  goal  is  “to 
interpret  events  and  give  a  feel  for  what’ll  hap¬ 
pen  next.  Is  this  a  trigger  event  that  will  incite 
unrest?  Or  is  it  no  big  deal?” 

Cheviron  uses  both  iJet  and  CRG.  He  has 


used  the  latter  to  make  steady-handed  deci¬ 
sions  involving  employees  stationed  in  Abid¬ 
jan,  on  the  Ivory  Coast,  where  a  failed  coup 
has  led  to  widespread  fighting.  “They’ve  kept 
us  advised  every  day  of  the  situation,”  he  says, 
“and  that  information  has  helped  us  make 
rational  judgments  in  getting  our  expats  out 
and  coming  up  with  an  evacuation  plan.” 

Often,  the  goal  of  providing  clarity  requires 
that  analysts  dispel  misconceptions.  James 
Smither  is  a  CRG  analyst  covering  Africa. 
Every  two  months  he  travels  to  the  region  to 
get  a  realistic,  current  view  of  the  security 
issues  associated  with  traveling  and  doing 
business  there.  In  the  past  year  he’s  been  to 
Angola,  Ethiopia,  Kenya,  South  Africa,  Tan¬ 
zania,  Uganda  and  Zimbabwe.  “Africa  has 
such  a  bad  reputation,  and  companies  are 
nervous,”  says  Smither,  “because  the  only 
things  that  are  ever  reported  are  famine  and 


March  2003  www.csoonline.com  29 


Security  Abroad 


war.”  While  a  high  crime  rate  is  a  problem  in 
some  African  countries,  others  have  less  crime 
than  London  and  Washington,  D.C.,  and  some 
of  the  biggest  risks— for  example,  the  numer¬ 
ous  car  crashes  and  dangerous  driving  condi¬ 
tions— are  seldom  reported  in  the  mainstream 
media. 

In  fact,  coverage  of  global  security  issues  by 
the  press  elicits  a  good  deal  of  grousing  from 
regional  analysts.  “Every  media  [outlet]  is  try¬ 
ing  to  be  an  intelligence  source,”  complains 
Sarah  Slenker,  iJet’s  senior  security  analyst. 
“Every  Tom,  Dick  and  Harry  that  never 
worked  in  the  security  or  travel  world  is  being 
interviewed  by  the  Fox  News  Network.  We 
just  focus  on  the  sources  we  know  are  reli¬ 
able.  We  want  the  information,  not  every¬ 
body’s  speculation.”  For  example,  one  of  iJet’s 
sources  on  the  ground  in  Venezuela  is  the 
Caracas-based  chief  of  security  for  a  major 
American  oil  company  who  is  also  a  former 
member  of  the  Venezuelan  army. 

A  company’s  own  employees  can  be  inde¬ 
pendent  and  valuable  sources  of  information. 
With  operations  in  Ghana,  Indonesia,  the 
Philippines,  Russia  and  Zimbabwe,  H.J.  Heinz 
needed  travel  security  information  that  cov¬ 
ered  all  areas  of  the  world  extensively.  Direc¬ 
tor  of  Risk  Management  Ed  Aiello  recently 
started  using  iJet  for  the  daily  briefings  and  the 
employee-locator  feature,  but  he  believes  that 
Heinz’s  own  employees  are  sometimes  the  best 
sources.  “We  use  a  number  of  sources,  and  we 
find  that  sometimes  travel  services  parrot  State 
Department  websites,”  he  says.  “In  parts  of 
the  world  where  we  have  a  lot  of  nationals  on 
the  ground,  our  intelligence  is  even  somewhat 
ahead  of  what’s  coming  from  the  State  Depart¬ 
ment.”  Aiello  stresses  that  services  that  focus 
strictly  on  travel  should  be  a  complement  to 
other  country  intelligence  programs  rather 
than  a  substitute  for  them. 


RESPONDING  24/7 

ew  companies  can  respond  to  a  traveling 
employee’s  security  concerns  24  hours  a  day. 
And  (be  honest  here)  how  many  security  exec¬ 
utives  would  want  to  be  awakened  at  3  a.m.  by 
an  employee  who  has  lost  his  passport?  Or 
would  you  really  know  what  to  do  if  nervous 
executives  called  to  report  small  arms  fire  in  the 
street  outside  their  hotel?  Twenty-four-hour 
hotlines  are  the  outsourcing  solution  to  a  prob- 

30  www.csoonlme.com  March  2003 


lem  that  most  CSOs  have  neither  the  expertise 
nor  the  budget  to  solve  themselves.  The  hotlines 
vary  in  the  way  they  are  set  up.  Control  Risks’ 
CR24  line  is  staffed  by  security  professionals 
with  a  special  forces  or  corporate  security  back¬ 
ground  who  field,  on  average,  60  queries  a  day 
through  e-mail  and  telephone  calls.  Corporate 
travelers  contact  them  seeking  advice  on  every¬ 
thing  from  minor  logistical  questions  to  critical 
personal  safety  emergencies. 

Peter  Cheney,  director  of  CR24,  recounts  a 
call  received  recently  from  the  general  man¬ 
ager  of  a  U.S.  company’s  outpost  in  Eastern 
Europe.  The  executive  was  traveling  to  Mace¬ 
donia  for  the  first  time  and  wanted  to  know  if 
there  were  any  basic  security  precautions  he 
should  take.  He  received  some  advice  and 
went  on  his  way.  One  evening  at  7  o’clock,  the 
same  man  called  back  to  say  that  he  and  his 
coworkers  were  in  Belgrade  on  their  way  to 
Scopje,  and  their  flight  had  been  canceled. 
They  were  rushing  to  catch  the  overnight  train 
and  wondered  whether  that  was  a  secure 
option.  With  the  train  leaving  in  five  minutes, 
he  asked  if  they  should  get  on?  He  was  advised 
to  take  the  train  only  if  the  meeting  was 
absolutely  time-critical.  If  they  took  the  train, 
he  was  cautioned  to  stay  awake  for  the  second 
half  of  the  trip  because  people  had  recently 
been  robbed,  removed  from  the  trains  and 
beaten  up  after  crossing  into  Macedonia.  “In 
our  eyes,  a  relatively  minor  situation,  but 
important  for  the  client,”  says  Cheney. 

A  24-hour  hotline  run  by  iJet  functions 
slightly  differently.  Incoming  calls  go  to  a 
coordinator  who  triages  each  call  and  will  hot 
link  it  to  a  specialist  depending  on  the  type  of 
situation  the  caller  faces.  “We  never  want  to  let 
go  of  that  traveler  because  we’re  their  life  line,” 
says  CEO  Mclndoe.  In  a  recent  situation  in 
Guatemala,  some  corporate  travelers  called 
the  hotline  late  at  night  when  they  heard  small 
arms  fire  outside  in  the  street.  The  iJet  team 
started  two  responses  in  parallel.  A  Kroll  asso¬ 
ciate  in  Buenos  Aires  was  contacted,  and  he 
quickly  made  his  way  to  the  airport  to  travel 
to  Guatemala.  Meanwhile,  the  call  coordina¬ 
tor  and  a  security  specialist  worked  with  the 
travelers  over  the  phone  to  continue  assessing 
the  situation.  As  a  result,  iJet  hired  a  driver  to 
take  the  employees  to  the  airport.  Once  pickup 
was  confirmed  from  the  driver,  the  Kroll  asso¬ 
ciate  standing  by  in  Buenos  Aires  was  called 


off.  The  employees  were  evacuated  from  the 
town  90  minutes  after  first  placing  the  call. 

Before  deciding  to  build  this  sort  of  capa¬ 
bility  in-house,  you  should  know  that  sup¬ 
porting  a  single  hotline  can  be  pricey. 
Mclndoe  says  that  to  have  just  one  person 
available  24  hours  a  day,  seven  days  a  week,  a 
company  would  actually  need  six  full-time 
employees.  He  reckons  a  CSO  would  have  to 
pay  each  of  those  six  employees  at  least 
$30,000  a  year,  a  figure  that  doubles  when 
you  factor  in  benefits  and  overhead.  The 
result?  “You’re  paying  $480,000  for  one  warm 
body,”  he  says.  A  ballpark  annual  fee  for  the 
CR24  service  would  run  somewhere  between 
$24,000  and  $36,000. 

PICKING  THE  RIGHT  PROVIDER 

lthough  CSOs  are  among  the  main  bene¬ 
ficiaries  of  travel  risk  services,  they  can  also, 
ironically,  be  a  tough  sell.  The  problem,  notes 
Jack  Stradley,  managing  director  of  Crucible, 
a  Kroll-owned  security  training  and  support 
company  (see  “Training  for  the  Last  Resort,” 
Page  29),  is  that  CSOs  are  often  “reluctant  to 


“In  parts  of  the 
world  where 
we  have  a  lot 
of  nationals  on 
the  ground,  our 
intelligence  is 
even  somewhat 
ahead  of  what’s 
coming  from 
the  State 
Department.” 

-ED  AIELLO,  DIRECTOR  OF  RISK 
MANAGEMENT,  H.J.  HEINZ 


1 

admit  that  they  can’t  know  everything  about 
everything.”  They’re  under  enormous  pressure 
from  management  to  be  the  last  word  on  any¬ 
thing  to  do  with  security.  When  Stradley  rec¬ 
ommends  a  training  seminar,  he  finds  that 
CSOs  often  worry  that  management  will 
respond  along  the  lines  of,  “Well,  why  did  we 
hire  you ?”  Stradley,  retired  from  the  Marine 
Corps,  worked  in  reconnaissance  in  South 
America  for  several  years  and  as  a  drug 
enforcement  officer  in  Bolivia,  Peru  and 
Venezuela.  “Our  folks  have  worked  in  high- 
risk  environments  and  have  lived  to  tell  the 
tale,”  he  says.  “It’s  not  derogatory  to  say  that 
[the  average  CSO  is]  not  equipped  for  this. 

I 

I 

I 

PHOTO  BY  RIC  EVANS 


You  can’t  be  a  specialist  in  everything.” 

There  are  several  key  things  a  CSO  should 
look  for  in  a  travel  risk  partner.  The  most  crit¬ 
ical  element  is  the  quality  of  the  information 
offering.  A  service  such  as  iJet  touts  its  use  of 
more  than  6,000  sources  in  compiling  intel¬ 
ligence.  Mclndoe  estimates  that  about  300 
to  400  of  those  are  actual  on-location  human 
sources.  Before  information  is  sent  out  as  an 
iJet  alert,  it’s  evaluated  by  category  and  rele¬ 
vance.  It  then  undergoes  further  scrutiny  by 
subject-area  experts.  An  item  on  a  viral  out¬ 
break  in  Nigeria,  for  example,  would  go  both 
to  a  health  expert  and  to  the  African  region 
analyst.  They  would  vet  the  information  and 
write  an  alert  if  they  deemed  it  worthwhile. 
Such  an  item  would  still  need  to  go  through 
the  watch  operations  desk  as  well  as  to  an  edi¬ 
tor  to  ensure  that  the  text  meets  standards  of 
accuracy,  clarity,  brevity  and  quality.  The  goal 
of  all  this  attention  is  to  avoid  numbing  clients 
with  constant  alerts  that  could  be  a  nuisance 
at  the  least  and  erroneous  at  worst. 

Data  also  gets  stale  very  quickly.  Mclndoe 
claims  some  services  sell  country  risk  reports 
that  are  more  than  one  to  two  years  old— 
hopelessly  out  of  date  given  the  current  pace 
of  world  events.  CSOs  should  freshness  test 
any  reports  or  packaged  analyses  they  are 
offered.  Some  firms  generate  their  reports  on 
demand  only,  which  is  an  assurance  of  fresh 
content.  The  most  strategic  intelligence,  upon 
which  companies  base  future  travel  and  busi¬ 
ness  decisions,  can  be  updated  on  a  monthly 
or  even  quarterly  basis  without  getting  stale. 

It’s  also  important  to  pay  attention  to  the 
breadth  of  expertise  behind  the  information. 
“We  never  just  rely  on  one  person  [in  a 
region],”  says  CRG’s  Smither.  “Everyone  is 
connected  to  different  things.  [We  draw 
upon]  political  circles,  police  and  special 
forces,  experts  on  corruption,  local  and  foreign 
journalists,  and  academics.  One  person  might 
know  who  will  be  the  next  president,  while 
another  knows  which  roads  to  go  down  in 
Angola.”  Few  vendors  will  disclose  their 
sources,  but  a  careful  look  at  their  reporting- 
over  a  period  of  weeks  should  give  a  sense  of 
how  well-placed  and  useful  the  sources  are. 

Buyers  should  be  aware  that  companies 
may  exaggerate  the  number  of  sources  and 
security  professionals  they  have  on  the  ground 
in  a  given  region.  If  an  emergency  situation 


develops  and  a  CSO  has  employees  who  need 
to  be  extracted  from  a  region,  it’s  critical  to 
know  how  many  actual  responders  are  avail¬ 
able  to  help.  A  company  might  say  it  has  100 
offices  around  the  world,  but  if  they’re  mostly 
sales  offices  staffed  by  a  secretary  and  a  suit, 
that  won’t  do  much  good  for  the  CSO  or  his 
imperiled  employees.  Likewise,  a  CSO  can 
infer  from  a  travel  risk  company’s  depth  of 
expertise  whether  it  will  be  able  to  put  infor¬ 
mation  into  perspective.  Those  companies, 
says  Cheviron,  “can  give  you  so  much  infor¬ 
mation  it  makes  you  sick.  They  have  to  be  able 
to  cull  out  what’s  important.” 

Cheviron  also  recommends  asking  for  a  list 
of  client  references  to  take  the  measure  of  dif¬ 
ferent  vendors.  Many  clients’  security  directors 
are  members  of  groups  like  the  International 
Security  Management  Association  (ISMA). 
Cheviron  has  no  compunction  about  calling 
his  fellow  ISMA  members  and  asking  for 
frank  assessments  of  a  prospective  vendor. 

The  24-hour  capabilities  of  a  travel  risk 
company  can  also  be  measured  by  the  tradi¬ 
tional  yardsticks  of  any  call  center:  availabil¬ 
ity  and  response  time.  The  last  thing  a  CSO 
wants  is  for  employees  in  an  emergency  situ¬ 
ation  to  get  a  busy  signal  or  be  put  on  hold. 
The  time  frame  for  having  personnel  on  the 
ground  responding  to  an  incident  is  also  an 
important  barometer.  CSOs  should  look  at 
the  specific  elapsed  time  a  vendor  company  is 
willing  to  commit  to  for  getting  a  responder  to 
the  scene  of  an  emergency  and  resolving  the 
situation.  As  with  any  contract,  read  the  fine 
print.  Some  companies  insert  an  impressive 
list  of  caveats  (a.k.a.,  loopholes)  that  can  take 
the  teeth  out  of  travel  risk  services.  “I  know  of 
[companies]  where  one  of  the  basic  caveats  is 
that  they’re  not  obligated  to  send  their  people 
into  a  country  where  there  is  a  current  dan¬ 
gerous  situation,”  says  Mclndoe.  If  that’s  the 
case,  he  adds  rhetorically,  “What  good  are 
they?”  B 

Senior  Editor  Daintry  Duffy  can  be  reached  via  e-mail  at 
dduffy4cxo.com. 


Visit  CSOonline.com’s  THREATS  &  RECOVERY 
RESEARCH  CENTER  to  read  more  articles 

on  physical  security.  Go  to  www.csoonline.com/ 

; 

threats. 

A;./--''  :  . 


March  2003  www.csoonline.com  31 


I 

I 


Information  security  “standards”  are  quite  a  bit  less 
than  that— and  that  needs  to  change 

BY  SARAH  D.  SCALET 


JUST  A  COUPLE  OF  YEARS  AGO,  WHEN  SOMEONE  ASKED  HOW 
COMPREHENSIVE  VANGUARD’S  INFORMATION  SECURITY  PROGRAM 


WAS,  THE  ANSWER  WOULD  HAVE  BEEN  PREDICTABLY  REASSURING 

but  vague:  “Were  fine;  nothing’s  happened.”  And  for  an  investment  company  that  manages 
$560  billion  in  assets,  that  just  wasn’t  good  enough. 

“The  chairman  wants  to  see  progression— what’s  getting  better,  what  worries  us,”  says  Jim 
Hyatt,  who  oversees  information  security  and  contingency  services  for  The  Vanguard  Group. 
Vanguard’s  way  of  getting  there?  By  following  ISO  17799,  a  nontechnical  document  from  the 
International  Organization  for  Standardization  that’s  the  closest  thing  the  information  secu¬ 
rity  world  has  to  a  golden  rule-book  of  management. 

Based  on  the  British  Standards  Institute’s  BS  7799,  from  which  it’s  almost  indistinguishable, 
ISO  17799  should  have  a  place  on  every  insomniac’s  bedside  table.  This  yawner  of  a  document 
has  close  to  70  pages  of  flatly  written  advice  for  managers  about  how  to  approach,  implement 
and  monitor  a  security  program.  Widely  used  in  the  United  Kingdom,  it  has  been  mostly 
snubbed  in  the  United  States  as  a  flawed  document  that’s  the  next  worst  thing  to  regulation. 
Yet,  as  a  few  U.S.  companies  are  discovering,  ISO  17799  can  be  an  effective  way  to  communi¬ 
cate  to  stakeholders  that  a  company  is  working  toward  a  set  of  security  best  practices  recog¬ 
nized  around  the  world. 

At  Vanguard,  the  process  started  as  every  fledgling  CSO  dreams  it  will.  The  top  brass 


IN  THIS  STORY: 

Key  infosecurity 
management 
standards  ■  Tips 
for  implementing 
them  ■  Why 
current  standards 
still  need  work 


nline.com  March  2003 


PHOTOGRAPHY  BY  WALTER  CALAHAN 


Standards 


So  Many  Standards, 
So  Little  Time 


THE  INFORMATION  SECURITY  FIELD  HAS  LOTS  OF  STANDARDS, 
BUT  THESE  ARE  THE  MAIN  ONES  THAT  CAN  HELP  FROM  A 
MANAGEMENT  PERSPECTIVE 


British  Standard  7799  Part  1  From  the  British  Standards  Institute,  it  is  high-level 
security  advice  widely  used  in  the  United  Kingdom  and  elsewhere.  Critics  contend  that 
it  makes  security  seem  like  a  checklist,  not  a  process. 

British  Standard  7799  Part  2  Also  from  the  British  Standards  Institute,  BS  7799 
Part  2  is  similar  to  Part  1  but  with  fewer  suggestions  for  implementation.  The  docu¬ 
ment  says  that  organizations  “shall"  do  things,  not  that  they  “should,”  which  means 
companies  can  be  certified  against  it. 

ISO  17799  Based  on  BS  7799,  this  standard  was  hurriedly  passed  in  2000  by  the 
Geneva,  Switzerland-based  International  Organization  for  Standardization  (which 
goes  by  the  acronym  ISO,  for  obscure  reasons)  and  is  currently  being  revised.  People 
love  it  and  hate  it  for  the  exact  same  reasons:  It  tells  you  what  to  do  but  not  how  to  do 
it.  Despite  the  fact  that  it’s  called  a  standard,  it  functions  more  like  a  guideline,  with 
wording  that  companies  “should”  do  things,  not  that  they  “shall.”  Companies  cannot 
be  certified  against  ISO  17799. 

ISO  Guidelines  for  the  Management  of  IT  Security  Known  as  GMITS,  this  is  a  five- 

part  technical  report  from  ISO.  It’s  currently  being  edited,  in  part  to  make  sure  it 
doesn’t  contradict  ISO  17799. 

NIST  Special  Publication  800-14  This  document  gives  Generally  Accepted  Princi¬ 
ples  and  Practices  for  Securing  Information  Technology  Systems  from  the  U.S. 
National  Institute  of  Standards  and  Technology.  This  set  of  guidelines  is  based  on  BS 
7799,  but  it  is  more  detailed.  Other  related  NIST  Special  Publications  are  800-12,  The 
Computer  Security  Handbook;  and  800-26,  The  Security  Self-Assessment  Guide  for 
Information  Technology  Systems. 

Generally  Accepted  Systems  Security  Principles  Known  as  GASSP,  this  standard 
being  created  by  the  Information  Systems  Security  Association  aims  to  be  security’s 
answer  to  the  Generally  Accepted  Accounting  Principles  from  the  Financial  Account¬ 
ing  Standards  Board,  which  is  widely  used  in  the  United  States.  GASSP  is  being 
renamed  the  Generally  Accepted  Information  Security  Principles  (GAISP).  -S.S. 


declared  information  security  a  top  priority, 
yanked  it  out  of  the  information  technology 
department  and  gave  the  new  group  the  go- 
ahead  to  start  using  ISO  17799-  Information 
security,  working  closely  with  IT,  the  internal 
audit  department  and  senior  management  of 
each  business  division,  started  tackling  the 
document  in  late  2001.  Each  of  the  30  cate¬ 
gories,  including  software  development, 
telecommunications  structure,  remote  access 
and  employee  awareness,  was  assigned  an 
owner,  who  worked  with  someone  from  both 
information  security  and  internal  audit  to 
assess  how  comfortable  the  company  was  with 
that  aspect  of  security.  Then  the  three-person 
team  began  rating  the  category  a  red,  yellow 
or  green:  green  for  areas  at  or  near  industry 
leadership,  yellow  for  items  that  could  be 
improved,  and  red  for  items  that  needed 
immediate  attention. 

The  results  were  compiled  onto  one  of  Van¬ 
guard’s  “dashboards”— one-page  documents 
that  managers  across  the  company  use  every 
week  to  set  their  direction.  Now,  when  a  new 
computer  virus  hits,  the  category  for  virus,  Web 
and  e-mail  controls  are  rated  red  until  new  fil¬ 
ters  are  installed.  Suddenly,  information  secu¬ 
rity  works  like  the  rest  of  the  business. 

“This  framework  allows  my  security  team  to 
let  everyone  else  see  what’s  going  on,”  says 
Hyatt,  a  jack-of-all-trades  who  has  been  at 
Vanguard  23  years  and  counting.  “It’s  very 
effective  for  getting  action:  Here’s  something 
you  own;  it’s  red.  You  rarely  get,  ‘I’m  too  busy.’ 
It’s  also  a  great  tool  to  monitor  progress  and 
helps  my  group  prioritize  what  to  look  at.  In 
the  past,  information  security  would  rush  to 
address  anything  that  audit  may  have  found, 
and  so  you  did  spot-fixes  here  and  there,  as 
opposed  to  having  a  nice,  cohesive  plan.” 

If  it  sounds  as  if  ISO  17799  was  the  answer 
to  Vanguard’s  security  management,  there’s 
just  one  catch.  Vanguard  isn’t  really  following 
the  standard.  Some  of  the  categories  don’t 
apply  and  were  thrown  out.  Other  areas  were 
reworded,  or  “Vanguard-ized,”  as  Hyatt  puts 
it.  For  instance,  the  IT  department  at  Van¬ 
guard  is  split  into  application  development 
and  technical  operations;  likewise,  some  of 
the  ISO  categories  had  to  be  split  in  two. 
“We’d  change  the  standards  to  fit  the  organi¬ 
zation  as  opposed  to  making  the  organization 
fit  the  standard,”  Hyatt  says.  His  justification 


is  sound:  “If  we  don’t  get  something  in  place 
that  fits  within  the  organization,  then  it’s  not 
sustainable.  This  felt  more  like  guidance  as 
opposed  to  rules.” 

Not  that  it  would  matter  if  Vanguard 
wanted  to  salute  every  word  of  the  standard. 
ISO  doesn’t  offer  certification  for  17799  as  it 


does  for  other  standards.  There  just  isn’t  sup¬ 
port  for  a  standard  precise  enough  to  measure 
compliance.  The  question  is,  if  individual 
companies  modify  ISO  17799  to  make  it  work, 
and  if  there’s  no  way  to  be  certified,  then 
what’s  so  “standard”  about  it  anyway? 

In  theory,  standards  are  the  key  to  making 


34  www.csoonline.com  March  2003 


information  security  a  mature  discipline.  In 
reality,  standards  are  still  the  greatest  thing 
that  never  happened  to  security  management. 
And  in  the  future,  a  real,  certifiable  standard 
would,  could— and  probably  will— be  the  key 
to  the  board-level  credibility  that  information 
security  desperately  needs.  It’s  up  to  CSOs  as 
to  whether  that  day  comes  sooner  rather  than 
later,  and  whether  they’ll  be  able  to  shape  the 
standard  into  one  that  really  works. 

Standard  Politics 

CSOs  looking  for  a  set  of  standards  to  follow 
will  have  no  problem  finding  one.  That’s  the 
problem.  “People  are  confused  about  which 
they  should  be  using,  big-time,”  says  Steve 
Crutchley,  CSO  and  cofounder  of  4FrontSecu- 
rity,  a  startup  consultancy  based  in  Reston,  Va. 

Legislators  are  setting  enforceable  stan¬ 
dards  for  particular  industries,  like  the 
Gramm-Leach-Bliley  Act  for  financial  serv¬ 
ices  and  the  Health  Insurance  Portability  and 
Accountability  Act  of  1996  for  health  care. 
President  Bush’s  Critical  Infrastructure  Pro¬ 
tection  Board  is  leading  efforts  to  set  security 
standards  for  government  agencies.  Busi¬ 
nesses,  including  the  major  credit  card  com¬ 
panies,  are  issuing  standards  for  customers 
and  business  partners  to  follow.  And  other 
organizations  are  creating  standards  that  they 
hope  companies  will  follow  out  of  the  good¬ 
ness  of  their  hearts,  or  their  pocketbooks.  This 
last  category  of  standards  holds  the  most 
promise  for  being  fair,  functional  and  widely 
applicable,  and  right  now  it’s  a  buyer’s  market. 

In  addition  to  ISO  17799  and  BS  7799, 
CSOs  can  lean  on  a  series  of  papers  from  the 
National  Institute  of  Standards  and  Technol¬ 
ogy  that  offer  similar  advice.  In  particular, 
NIST  Special  Publication  800-14,  known  as 
the  Generally  Accepted  Principles  and  Prac¬ 
tices  for  Securing  Information  Technology 
Systems,  can  help  with  setting  up  and  man¬ 
aging  a  security  program.  But  watch  out: 
Although  800-14  is  often  called  a  standard,  it’s 
not,  really.  It’s  a  technical  report.  A  guideline. 

Meanwhile,  the  Information  Systems  Secu¬ 
rity  Association,  a  nonprofit  professional 
organization  based  in  Oak  Creek,  Wis.,  is 
working  on  yet  another  “standard.”  Commit¬ 
tee  members  hope  this  one  will  be  to  infor¬ 
mation  security  what  the  Financial  Account¬ 
ing  Standards  Board’s  Generally  Accepted 


Accounting  Principles  are  to  accounting— 
never  mind  that  GAAP  is  really  only  used  in 
America.  This  standard  is  currently  known  as 
the  Generally  Accepted  Systems  Security  Prin¬ 
ciples  (GASSP).  Using  the  framework  pro¬ 
vided  by  ISO  17799,  GASSP  aims  to  offer  more 
specific  guidance  than  such  dictates  as  “a 
range  of  controls  shall  be  implemented  to 
achieve  and  maintain  security  in  networks,” 
but  still  not  delve  into  the  realm  of  specific 
products.  The  committee  began  its  work  a 
decade  ago  but  languished,  and  it  plans  to 
relaunch  its  efforts  this  winter  with  Informa¬ 
tion  Systems  Security  Administration  fund¬ 
ing  and  rename  the  standard  the  Generally 
Accepted  Information  Security  Principles 
(GAISP). 

At  The  George  Washington  University, 
Krizi  Trivisani,  director  of  system  security 
operations,  is  partial  to  the  NIST  documents 
but  admits  that  the  use  of  any  such  standard 
is  limited.  “What  these  standards  are  t lying  to 
do  is  provide  a  common  basis  for  organiza¬ 
tional  security  standards,  so  you  have  a  level 
of  confidence  and  assurance  in  your  organi¬ 
zation,”  she  says.  “What  they  don’t  tell  you  is 
exactly  how  you’re  supposed  to  get  that  done.” 

Enter  another  contender:  a  bevy  of  tech¬ 
nical  standards  like  those  from  the  Center  for 
Internet  Security  that  explains  the  best  way  to 
configure,  say,  Windows  NT.  Clint  Kreitner, 
president  and  CEO  of  the  nonprofit  organi¬ 
zation,  describes  his  group’s  standards  as  the 
nitty-gritty  ground  view,  as  opposed  to  the 
50,000-foot  view. 

“There’s  a  continuum  of  information  secu¬ 
rity  standards  that  goes  all  the  way  from  the 
level  of  generality  that  a  board  of  directors 
should  deal  with,  down  to  the  level  for  enter¬ 
prise  management,  to  operating  divisions,  all 
the  way  down  to  the  detailed  operational  steps 
that  one  has  to  take  to  configure  firewalls, 
routers  and  so  on,”  Kreitner  says.  “But  the  con¬ 
tinuum  tends  to  be  broken.  It’s  a  series  of  per¬ 
spectives  that  are  not  generally  connected.” 

Ready  or  Not,  Here  They  Come 

For  security  management,  at  least,  the  ISO 
17799  standard  is  the  one  most  widely 
accepted.  That’s  not  saying  much.  In  fact,  the 
best  measure  of  its  success  may  be  that  other 
standards  bodies  are  trying  to  compete  with 
the  ISO  specifications  without  explicitly  con¬ 


tradicting  them.  Widely  used  in  the  United 
Kingdom  and  Pacific  Rim,  ISO  17799  still 
hasn’t  gained  traction  in  the  United  States.  A 
users  group  ( www.xisec.com )  lists  just  three 
organizations  in  the  United  States  that  have 
been  certified  by  the  British  Standards  Insti¬ 
tute  as  being  BS  7799  compliant.  And  even  its 
biggest  American  boosters  admit  that  it’s 
flawed.  “It’s  not  perfect,”  says  Giga  Informa¬ 
tion  Group  Research  Director  Michael  Ras¬ 
mussen,  “but  it’s  the  most  widely  adopted. 
You  can  follow  other  best  practices,  but  this 
puts  everything  together  in  one  spot,  and  it’s 
internationally  recognized.  Wherever  I  go, 
people  are  asking  about  it.” 

Nevertheless,  17799  was  born  of  the 
Geneva,  Switzerland-based  ISO  with  marks 
against  it.  Fast-tracked  through  the  approval 
process  in  August  2000,  ISO  17799  had  the 
support  of  many  small  countries  but  only  one 
of  the  large  G7  nations— the  United  Kingdom, 
where  it  was  born  as  BS  7799-  Canada  already 
had  its  own  competing  standard.  So  did  Ger¬ 
many.  So,  of  course,  did  the  United  States, 
with  the  NIST  publications.  None  of  the  large 
countries  wanted  to  throw  its  weight  behind 
a  competing  standard.  Critics  charged  that 
ISO  17799  was  passed  too  hastily,  written 
unevenly  and  lacked  sufficient  guidance— that 
it  told  managers  what  to  do  without  telling 
them  how  to  do  it. 

At  First  Data,  one  subsidiary  that  deals 
with  global  Internet  commerce  had  a  Big  Five 
consultancy  audit  it  against  the  ISO  require¬ 
ments,  says  CISO  Phil  Mellinger.  Mellinger, 
who  is  trying  to  make  the  company’s  security 
requirements  ISO -compatible,  says  the  docu¬ 
ment  itself  just  wouldn’t  work  for  most  of  the 
$7.6  billion  Denver-based  financial  services 
company.  “We  see  it  as  sort  of  an  outline  of 
wiiat  a  business  should  address,  but  it’s  not 
detailed  enough  or  specific  enough  for  our 
business,”  he  says.  “You  know  how  it  is  when 
you  write  documents  through  consensus.” 

Opponents  also  said  that  the  document 
made  it  seem  as  if  security  were  just  a  list  of 
to-dos,  rather  than  an  ongoing  process.  The 
solution  was  a  rather  superficial  one.  All  the 
checklist-type  material  was  placed  in  an 
appendix  at  the  back  of  the  document.  And 
that  didn’t  address  the  most  fundamental  crit¬ 
icism  of  all:  That  ISO  17799  shouldn’t  be  a 
standard,  only  a  technical  report. 


March  2003  www.csoonline.com  35 


Standards 


“When  the  U.K.  brought  BS  7799  to  ISO, 
many  international  bodies  would  have  been 
very  agreeable  to  having  that  document 
become  a  technical  report  as  opposed  to  a 
standard,”  says  Alicia  Clay,  program  manager 
for  information  security  outreach  with  NIST, 
who  is  a  representative  on  the  committee  that 
edits  ISO  177 99-  “The  expectation  of  a  tech¬ 
nical  report  is  that  it’s  more  of  a  guideline.  ISO 


17799  reads  more  like  a  technical  report,  but 
technical  reports  tend  not  to  carry  the  same 
kind  of  weight.  People  don’t  generally  talk 
about  conformance  to  reports.” 

The  thing  is,  they  don’t  talk  about  confor¬ 
mance  to  ISO  17799  either.  Because  of  subtle 
differences  in  wording  between  the  docu¬ 
ments,  companies  can  be  certified  against  BS 
7799  but  not  ISO  17799-  Consultancies  that 


Chris  Zoladz,  Marriott:  Standards 
compliance  work  is  “very  inclusive, 
very  comprehensive.” 


: 


offer  ISO  17799  validation  and  certification 
have,  by  necessity,  altered  the  standard  or 
opted  to  use  BS  7799  instead.  Thus,  practices 
are  based  on  ISO  17799— which  tells  compa¬ 
nies  they  “should”  take  certain  actions,  rather 
than  BS  7799,  which  says  they  “shall”  do 
things— but  not  compliant  with  it. 

“Normally  for  a  standard,  you  would  say,  A 
company  shall  do  this  and  shall  do  that,”  Clay 


says.  “It’s  really  clear.  You’re  conforming  to  a 
standard  [like  BS  7799]  if  you’re  conforming 
to  the  ‘shall’  statements.  You  may  hear  people 
say  that  they’re  ‘complying’  with  17799-  They 
aren’t,  really,  unless  they’re  changing  all  those 
‘shoulds’  to  ‘shalls.’” 

When  asked  why  the  standard  is  set  up  that 
way,  Clay  lets  out  a  long  chuckle.  “That,”  she 
answers,  “is  the  question  that  is  much 
debated.”  In  fact,  an  ISO  committee  that  is 
revising  the  standard  again— it’s  common  for 
new  standards  to  undergo  continual  revi¬ 
sion-will  meet  in  Quebec  in  April,  and  one  of 
the  questions  on  the  table  is  whether  ISO 
should  develop  a  standard  that  could  support 
a  certification  system. 

Clay  doesn’t  want  to  put  herself  in  one 
camp  or  the  other,  but  the  U.S.  attitude 
toward  ISO  17799  tends  to  be  one  of  resigna¬ 
tion.  “One  of  the  reasons  why  the  U.S.  is  so 
actively  working  on  it  is  so  that,  if  something 
does  come  of  it,  it’s  something  U.S.  business 
can  live  with,”  Clay  says.  “Whether  we  were 
ready  for  it  or  not,  we  now  have  a  standard.  It 
starts  to  be  a  good  thing  that  17799  is  not 
definitive  because  then  it  would  be  more  dif¬ 
ficult  to  work  with.” 

In  the  paranoid  security  world,  even  an 
accepted  certification  system  would  hardly 
inspire  the  kind  of  proud  “ISO  9000  Certified” 
banners  that  hang  from  manufacturing  plants 
across  the  country.  But  it  would  make  the 
standard,  well,  a  bit  more  standard. 

Same  Beginning,  Same  End 

In  the  meantime,  those  who  have  studied  all 
the  standards  say  that  it  might  not  matter  so 
much  which  one  companies  choose— just  that 
they  pick  a  set  of  best  practices  and  try  to  fol¬ 
low  them.  “You  pay  your  money,  and  you  take 
your  choice,”  says  4FrontSecurity’s  Crutchley 
(who,  just  for  the  record,  is  a  Brit  who’s  a  cer¬ 
tified  BS  7799  auditor).  “They  all  have  the 
same  beginning  and  the  same  end.  You  always 
end  up  with  the  best  practices.  It’s  just  the 
way  they’re  being  approached.  Pick  one,  and 
work  with  it.” 

Not  that  it  will  be  the  most  exciting  thing 
you  ever  do.  Far  from  it.  “It’s  a  boring  job  to  do 
this,  to  be  quite  honest,”  Crutchley  warns. 
“Unbelievably  boring.” 

It’s  also  a  lot  of  work— at  least  that’s  what 
Chris  Zoladz,  vice  president  of  information 


protection  at  Marriott,  discovered  when  he 
started  using  ISO  17799.  “It’s  very  inclusive, 
very  comprehensive,  and  it  can  at  first  be 
overwhelming  because  of  the  size  and  number 
of  areas  that  are  covered,”  he  says. 

To  cope,  Zoladz  created  a  document  based 
on  the  structure  of  ISO  17799  and  then  added 
in  the  details  as  best  he  could.  Next,  he  dis¬ 
tributed  pieces  of  the  document  to  different 
people  in  the  business  who  had  expertise  in  a 
particular  area,  like  sales  or  physical  security. 
Once  he  got  answers  back,  he  created  a  mas¬ 
ter  document  that  he  distributed  to  the  group 
for  further  feedback.  Now,  the  document  gets 
reviewed  and  updated  once  a  year  to  help  him 
set  priorities. 

The  end  result,  Zoladz  admits,  isn’t  so  dif¬ 
ferent  from  what  he  might  have  gotten  by  fol¬ 
lowing  any  list  of  best  practices.  The  ISO  label 
just  made  it  a  little  easier  for  him  to  get  oth¬ 
ers  to  participate. 

“Unlike  maybe  what  you  might  get  from 
one  of  the  consultancies— which  I’m  sure  is 
fine  and  very  useful— the  BS  or  ISO  is  recog¬ 
nized,  it’s  known,  it’s  objective,”  Zoladz  says. 
“People  didn’t  come  out  and  say  this,  but  I 
sensed  that  by  being  able  to  say  this  is  a  well- 
recognized  standard— immediately  there  was 
an  acceptance— as  opposed  to  if  I  would  have 
said,  Hey,  this  is  consulting  firm  ABC’s  best 
practices.  There  might  have  been  more  dis¬ 
cussion  about,  how  did  they  come  up  with 
these,  or  look  what  I  just  got  in  the  mail  from 
consulting  firm  D.” 

“Third-party  credibility  and  objective  rea¬ 
sons  why  something  needs  to  be  done  are 
important,  and  standards  are  sometimes 
looked  at  as  a  way  to  do  that,”  says  Larry  Dietz, 
director  of  market  intelligence  at  Symantec. 
“Ever  seen  the  Wizard  of  Oz ?  What  was  the 
scarecrow’s  problem?  He  didn’t  have  a  brain. 
And  howr  did  the  wizard  solve  the  problem? 
He  gave  him  a  diploma  that  said  he  was 
smart.”  ■ 

Senior  Writer  Sarah  D.  Scalet  can  be  reached  at 
sscalet@cxo.com. 


Looking  for  more  about  information  security 
standards?  Read  “IT  Trends  2003:  Information 
Security  Standards,  Regulation?  and  Legisla¬ 
tion,”  a  CSOonline  ANALYST  REPORT.  Go  to 
www.csoonline.com/printlinks 
_ _ f . 


I 


March  2003  www.csoonline.com  37 


Get  involved  early— and  often- 
in  your  company’s  M&A 
strategy.  If  you  leave  security 
^  planning  until  the  end, 
you  may  not  have 
enough  dollars  in 
your  budget  to 
get  you  where 
you  need 
to  go.'  a 


By  Simone  Kaplan 


pany  into  the  fold,  or  being  absorbed 
by  another  company,  can  be  an  untidy 
procedure  where  the  goal  is  usually  “let’s 
just  get  through  this  thing.”  And 
despite  best-laid  plans,  anything  can 
happen.  When  better  to  think  about 
security? 


IN  THIS  STORY: 

How  to  cut  costs 
by  thinking 
about  security 
needs  before 

.*Vn 

a  merger. takes 
place  ■  An 
M&A  checklist 


Perhaps  it  makes  you  think  about  mar¬ 
ket  share  or  combined  assets.  It  most 
certainly  leads  to  thoughts  of  change 
and  chaos.  But,  for  most  executives, 

security  is  probably  not  top  of  mind. 

, 

It  should  be.  Bringing  a  new  com- 

-  .  .  ■ 


38 '  www  csootilme.com 


March  .2003  . 


sBm.  :  ; 


Ill 


*■  - 
■  w  * 

JMKil*  V 
wMRfK 

,■  -  ®CStifcI 


■  -  ■ 

■  ;  A  ^  :.-...■  . ; 

«/^1  * 

Companies 

4-1 - 4-  JL  ’-L  ^1 


are  putting 
themselves 
in  a  position 
of  increased 
risk.” 


-LYNN  MATTICE,  DIRECTOR 
OF  CORPORATE  SECURITY 
FOR  BOSTON  SCIENTIFIC’S 
GLOBAL  OPERATIONS 


Mergers  &  Acquisitions 


Yet,  if  your  company  is  anything  like  the 
ones  we’ve  talked  to,  you're  sure  to  face  an 
uphill  battle  when  trying  to  get  your  security 
agenda  into  your  company’s  merger  and 
acquisition  strategy.  It’s  crucial,  however, 
that  the  CSO  get  in  on  the  M&A  process  right 
from  the  start.  Addressing  security  issues 
early  can  help  lay  the  foundation  for  a 
stronger,  more  efficient  security  organiza¬ 
tion  once  the  M&A  is  complete.  And  doing 
so  can  help  thwart  digital  intrusions,  social 
engineering  and  threats  from  disgruntled 
employees  during  the  final  integration 
process.  Sometimes  early  involvement  can 
even  prevent  your  company  from  doing  busi¬ 
ness  with  a  company  whose  ethics  or  corpo¬ 
rate  practices  aren’t  up  to  your  standards. 

“Companies  that  don’t  allow  security  to 
play  a  major  role  in  M&A  plans  are  putting 
themselves  in  a  position  of  increased  risk,” 
says  Lynn  Mattice,  director  of  corporate 
security  for  biotech  company  Boston  Scien¬ 
tific’s  global  operations.  In  fact,  there’s  evi¬ 
dence  that,  if  the  CSO  has  a  voice  early  in  the 
M&A  process,  he  can  actually  help  make  the 
merger  cost  less  for  the  company.  “With 
enough  due  diligence,  the  CSO  can  help  an 
already  preoccupied  CEO  and  executive 
board  know  as  much  about  the  target  com¬ 
pany  as  they  know  about  their  own  com¬ 
pany,”  Mattice  says. 

Do  Diligence 

It’s  easy  to  sum  up  why  CSOs  need  to  get 
involved  in  M&As:  risk  reduction.  Merger 
or  not,  it’s  the  aim  of  any  security  officer. 
But  it  becomes  an  especially  important  task 
when  you’re  talking  about  joining  forces  with 
another  company.  If  you  don’t  do  your  home¬ 
work,  you  can  end  up  losing  instead  of  add¬ 
ing  value  to  the  business,  which  is  what  the 
M&A  is  all  about. 

What  does  “managing  risk”  look  like  when 
considering  a  merger?  For  starters,  the  CSO 
should  look  at  where  the  target  company 
operates.  A  merger  may  mean  you  expand 
operations  into  new  countries,  some  of  which 
could  have  high-risk  environments.  If  so, 
you’ll  need  to  incorporate  specific  evacua¬ 
tion  and  business  continuity  plans  into  the 
merger  plans. 

Also,  CSOs  should  explore  the  target  com¬ 
pany  itself.  What  is  its  reputation?  Has  there 


been  any  evidence  of  government  payoffs? 
All  U.S.  companies  with  operations  abroad 
must  comply  with  the  Foreign  Corrupt  Prac¬ 
tices  Act  (FCPA),  an  antibribery  law  that  pro¬ 
hibits  U.S.  companies  from  paying  govern¬ 
ment  officials  in  foreign  countries  to  facilitate 
doing  business.  If  staffers  of  a  target  com¬ 
pany  are  discovered  to  have  worked  with  dis¬ 
honest  business  brokers  at  any  time— even  if 
they  didn’t  know  it— both  that  company  and 
the  purchasing  company  can  be  prosecuted. 
‘You  have  to  be  very,  very  careful  when  inves¬ 
tigating  [another  company’s]  compliance 
with  the  FCPA,”  says  Mattice.  “Buying  or 
merging  with  a  company  that’s  in  violation  of 
the  FCPA  means  you’ll  probably  be  inheriting 
an  investigation  by  the  Securities  and 
Exchange  Commission  or  Department  of  Jus¬ 
tice  down  the  line.” 

What’s  the  cost  of  keeping  the  company 
and  its  employees  safe?  In  some  countries, 
the  cost  of  providing  security  can  add  up  to 
20  percent  of  operational  costs,  says  Bobby 
Gilham,  manager  of  global  security  for 
Conoco/Phillips. 

And  it’s  not  enough  to  collect  data  about 


the  potentially  blended  enterprise;  you  must 
gather  and  analyze  the  information  early  in 
the  process.  “Budgeting  for  security  is  like 
building  a  house,”  says  consultant  John 
McCarthy,  former  director  of  corporate  secu¬ 
rity  for  Texaco.  “The  last  thing  to  go  up  is  the 
roof.  If  you  don’t  budget  enough  money  for 
that  roof,  then  you’ll  end  up  with  a  leaky  roof 
that  doesn’t  cover  you  entirely,”  he  warns. 
“Likewise,  if  you  wait  to  look  at  the  company 
after  everything  is  put  together,  you’ll  under¬ 
stand  why  security  should  have  been  a  pri¬ 
ority.  That’s  when  the  CEO  will  want  your 
opinion  about  what  should  be  done  to  build 
the  security  organization.  But  the  budget 
plans  and  priorities  will  have  already  been 
set,  so  you  won’t  get  what  you  need  because 
it  would  require  a  budget  overhaul.” 

McCarthy— who  weathered  three  differ¬ 
ent  mergers  while  at  Texaco  and  was  involved 
in  the  company’s  partnership  with  Shell  in 
the  late  1990s— says  he  insisted  on  getting 
involved  early  in  the  process  to  avoid  such 
budgetary  problems.  ‘You  can’t  be  a  shrink¬ 
ing  violet,”  he  says,  because  ultimately  an 
inadequate  security  budget  could  leave  the 


40  www.csoonline.com  March  2003 


PHOTO  BY  JAY  STEVENS 


ii6>M 


.  .•  f*..-  ■  •  i'  v  5Vs 

■ 


new  or 


versus  what  it  will 
need  to  do” 


.'•j:  v.vw£p>K:-»g?V'-V 


-BOBBY  GILHAM, 

MANAGER  OF  GLOBAL  SECURITY  FOR  CONOCO/PH  I LLI  PS 


new  entity  vulnerable  in  many  ways.  “The 
more  information  you  have,”  McCarthy  says, 
“the  better  you  can  help  protect  the  com¬ 
pany’s— and  its  shareholders’— interests.” 

If  you’re  worried  that  we’re  suggesting  you 
do  the  kind  of  work  that  requires  sifting 
through  financial  records  or  legal  compli¬ 
ance  histories,  relax.  Those  tasks  are  typi¬ 
cally  handled  by  the  legal  and  accounting 
teams.  Instead,  for  the  CSO  due  diligence 
means  delving  into  the  fine  print  of  how  the 
target  company  operates  on  a  global  scale. 
Ask  what  security  practices,  if  any,  the  target 
company  already  has  in  place.  What  are  its 
vulnerabilities?  How  effective  are  its  IT  pro¬ 
tections  and  access  control  systems?  Does  it 
have  controls  to  protect  intellectual  prop¬ 
erty?  Does  it  educate  employees  about 
ethics?  Will  the  merger  create  operations  in 
new  countries?  If  those  kinds  of  questions  are 
explored  early  in  the  process,  Gilham  says,  a 
CSO  can  get  a  clear  picture  of  what  it  will  cost 
to  upgrade— or,  if  necessary,  create— a  new 
security  system. 

Of  course,  it’s  clear  why  more  informa¬ 
tion  is  better  than  less.  And  knowing  about 


security  issues  up  front  can  keep  you  from 
scrambling  for  budgetary  crumbs  later.  But 
can  your  efforts  to  dig  deep  into  an  M&A. 
project  really  help  to  reduce  the  costs  related 
to  that  merger? 

“Absolutely,”  says  Mattice.  With  enough 
information  prior  to  making  an  offer,  the 
cost  of  related  security  can  be  factored  into 
the  actual  costs  of  the  M&A.  “It’s  much  more 
valuable  if  your  CEO  can  go  in  with  a  lower 
bid  because  it’s  understood  ahead  of  time 
what  it  will  cost  to  protect  the  company,”  he 
says.  “That’s  where  the  savvy  CSO  can  help 
minimize  costs.” 

And  then,  by  tying  the  costs  of  security  to 
the  venture  instead  of  making  it  a  new  item 
on  the  capital  budget,  the  dollar  amount  has 
a  different  tax  treatment.  “That  way,  you 
don’t  have  to  go  back  and  fight  for  those 
budget  dollars  later  on,”  says  Mattice. 

Getting  Down  to  Business 

Even  if  you  have  a  clear  idea  of  the  work 
that  lies  ahead  in  the  nascent  entity, 
you’ll  still  face  the  task  of  actually  cre¬ 
ating  the  new  security  organization  once  the 


M&A  is  underway.  That  is  a  delicate  process 
because  the  new  security  structure  is  based 
on  at  least  two  separate  departments— each 
with  its  own  culture,  processes  and  func¬ 
tions.  As  in  any  situation  where  multiple 
entities  become  one,  the  likelihood  is  high 
that  toes  will  get  stepped  on. 

To  understand  what  the  new  security 
structure  needs  to  be,  security  leaders  from 
both  companies  should  determine  what  their 
current  security  organization  offers,  says 
Gilham.  “Be  willing  to  share  ideas,”  he  says. 
“Start  with  a  blank  slate  and  try  to  picture 
what  the  new  organization  will  look  like.  Then 
ferret  out  the  gaps  in  what  security  is  doing 
right  now  versus  what  it  will  need  to  do  later.” 

When  Conoco  and  Phillips  began  to  dis¬ 
cuss  their  possible  merger  in  November  2001, 
Gilham  (then  manager  of  global  security  at 
Conoco)  met  with  his  counterpart  at  Phillips 
to  begin  the  transition.  Both  men  noted  the 
different  ways  in  which  the  two  companies 
ran  on  a  day-to-day  basis.  On  the  security 
side,  Conoco  had  a  larger  global  security 
organization  that  was  involved  in  scoping  out 
new  business  opportunities  and  working  to 


March  2003  www.csoonline.com  41 


Mergers  &  Acquisitions 


Your  M&A  Checklist 

Navigating  unstable  terrain  requires 
CSOs  to  keep  one  eye  on  helping  per¬ 
sonnel  weather  the  transition  and  the 
other  on  creating  a  solid  security  organi¬ 
zation  with  the  available  resources. 

SECURITY  OPERATIONS 

□  Who  are  your  international  partners, 
and  in  what  countries  do  they 
operate? 

□  Do  you  know  what  level  of  security 
each  of  your  international  branches 
requires? 

□  Have  you  done  due  diligence  to 
investigate  any  history  of  security 
breaches  or  bad  business  practices? 

GOVERNANCE 

□  Have  you  looked  at  both  security 
organizations  to  get  an  idea  of  what 
the  new  organization  will  look  like? 

□  Did  you  map  out  all  the  reporting 
relationships  in  the  security 
organization? 

□  Do  you  have  a  strong  line  of  communi¬ 
cation  with  the  executive  board? 

CULTURE  AND  ETHICS 

□  Did  you  meet  with  your  staff  to  break 
the  ice  and  discuss  the  kind  of 
security  culture  you’re  aiming  for? 

□  Have  you  composed  and  delivered 
a  statement  of  security  ethics  to  all 
employees? 

□  Do  you  have  methods  in  place  to 
protect  your  intellectual  property? 

TECHNOLOGY 

Are  your  business  platforms 
compatible? 

What  kind  of  links  do  you  have  with 
outsourcers  and  contract  companies, 
and  are  those  connections  secure? 

Do  you  have  access  controls  and 
intrusion  detection  systems  in  place? 

-S.K. 


protect  domestic  refineries.  Phillips’  security 
department  was  primarily  focused  on  the 
company’s  domestic  presence.  Because  the 
potential  new  company  required  attention  to 
domestic  and  international  operations,  Gil- 
ham  was  given  the  go-ahead  to  expand  the 
new  security  department  in  both  size  and 
function.  He  also  kept  an  eye  on  cutting  costs. 
For  example,  Conoco  had  global  security  cen¬ 
ters  with  24-hour  operations  in  three  states, 
and  Gilham  consolidated  the  centers  to  one 
location.  He  made  careful  decisions  about 
whether  to  keep  in-house  such  services  as 
access-control  monitoring,  for  instance,  or  to 
hire  more  building  guards.  He  also  created 
new  positions— a  full-time  global  security 
analyst,  for  one,  whose  job  it  would  be  to  stay 
current  on  international  events,  manage 
travel  approvals  for  high-risk  areas  and  give 
guidance  to  the  company’s  divisions  overseas. 
Gilham  also  worked  with  the  human 
resources,  marketing  and  loss-prevention 
departments  to  facilitate  an  interdepartmen¬ 
tal  effort  regarding  security. 

When  it  came  to  managing  the  transition 
of  the  security  personnel,  Gilham  met  with 
the  security  employees  from  both  Phillips 
and  Conoco  to  assess  their  career  goals.  He 
discussed  with  them  their  vision  of  where 
they  fit  into  the  new  organization  and 
whether  they  were  willing  to  relocate 
(Phillips  was  based  in  Bartlesville,  Okla.; 
Conoco  in  Houston,  where  the  merged  com¬ 
pany  is  now  headquartered).  “You  have  to 
find  out  if  people  really  want  to  be  part  of  the 
new  company  and  if  their  skills  fit  the  new 
organization’s  needs,”  Gilham  says.  “Not 
everyone’s  wall.  And  you  have  to  handle  each 
situation  with  sensitivity.”  Gilham  also 
looked  at  who  was  eligible  for  retirement  or 
severance  packages.  “These  are  good  people, 
and  I  wanted  to  treat  them  well,”  he  says. 

Let’s  be  honest.  Mergers  usually  mean  job 
cuts,  and  no  one  likes  working  under  the 
shadow  of  the  ax.  And  uncertainty  can  wreak 
its  own  brand  of  havoc.  As  a  leader,  it’s  up  to 
you  to  keep  the  situation  under  control. 
Boston  Scientific’s  Mattice  offers  the  follow¬ 
ing  advice  to  prevent  or  reduce  the  kind  of 
employee  fear  and  anxiety  that  often  leads  to 
people  taking  a  swipe  at  their  company’s  intel¬ 
lectual  property  or  IT  systems,  and  to  ensure 
a  smooth  merger  for  both  companies. 


1.  Communicate  regularly.  A  company  that 
respects  its  employees,  communicates  with 
them  and  keeps  them  updated  on  the  status 
of  the  merger  is  at  a  much  lower  risk  for  inter¬ 
nal  threats  than  a  company  that  appears 
uncaring  and  impersonal.  Helping  people  and 
treating  them  with  respect  is  the  best  way  to 
protect  yourself  from  the  repercussions  of 
employees’  anger  or  fear. 

2.  Protect  your  assets.  It’s  essential  that  all 
senior  executives  are  aware  of  the  potential 
for  employees  to  launch  an  attack  against 
the  network.  And  you  want  to  do  everything 
in  your  power  to  prevent  someone  from  walk¬ 
ing  away  from  the  company  with  any  intel¬ 
lectual  property.  CSOs  should  make  certain 
that  access-control  systems  are  up  to  par. 
Plan  ahead  with  your  HR  department  to 
assess  if  a  security  representative  should  be 
present  when  an  employee  is  informed  of  a 
layoff. 

3.  Get  it  in  writing.  When  dealing  with  the 
inevitable  (and  not  always  voluntary) 
departure  of  employees  after  a  merger  or 
acquisition,  have  them  sign  mandatory  non¬ 
compete  agreements,  Mattice  recommends. 
Companies  should  also  provide  outplace¬ 
ment  services  and,  in  some  cases,  counseling 
for  employees  who  may  need  help  adjusting 
to  the  change. 

4.  Emphasize  the  ethical.  For  the  employ¬ 
ees  who  stick  with  the  company,  it’s  important 
to  establish  a  culture  emphasizing  ethical 
business  procedures.  Make  it  clear  to  every¬ 
one  what  the  philosophy  of  the  new  company 
will  be  and  how  you  expect  people  to  operate. 
The  best  way  to  mitigate  any  internal  risks  or 
misunderstandings  is  to  have  each  employee 
sign  an  ethics  statement. 

“How  many  times  has  a  CEO  said,  ‘If  I  had 
only  known...,”’  Mattice  says.  “That’s  where 
the  CSO’s  real  value  lies.  You’re  one  of  the 
main  sources  of  need-to-know  information. 
Otherwise,  it’s  all  just  a  roll  of  the  dice.”  ■ 

Staff  Writer  Simone  Kaplan  can  be  reached  via  e-mail  at 
skaplan@cxo.com. 


How  can  you  mitigate  security  risk  during  a 
merger?  Read  MANAGING  MERGERS  AND 
ACQUISITIONS,  an  eight-step  outline  that  will 
help  you  secure  the  loose  ends.  Go  to 

www.csoonline.com/printlinks. 


42  www.csoonline.com  March  2003 


Manage 

Pol  ici6S  instead  of 

Security  Products 


firewall  and  VPN  reduces  complexity  and  lowers 
your  structured  cost.  Manage  security,  not  technology. 


Security 


Enables  unified  firewall  and  VPN  security  from  laptops,  to  data  centers  and  mainframes. 


Centrally  manages  and  upgrades  local  and  remote  sites. 


Reliably  connects  fault-tolerant  VPNs  and  firewalls  with  multiple  ISPs. 


Grows  without  the  need  for  over  investing  or  fork-lift  upgrades. 


The  cost  of  your  security  complexity  is  higher  than  you  think 


Contact  us  today  to  learn  how  to  remove  complexity  from  your  security. 
Visit  www.stonesoft.com  or  e-mail  at  info@stonesoft.com 
Attend  or  view  our  webinars  at  www.stonesoft.com/seminars 


STONESOFT 


Beleaguered  public  sector  CSOs  are  grappling  with  tight  budgets  and 
red  tape  for  what  seems  to  be  a  no-win  battle  to  secure  their 
information  systems.  Here’s  how  the  government’s  security  efforts 
stack  up  against  the  private  sector’s.  By  Jennifer  Jones 


IN  THIS  STORY:  What  the  public 
sector  is  doing  to  improve  secu¬ 
rity  efforts  in  its  agencies  ■  Why 
supplemental  funding  practices 
don’t  always  work 


ILLUSTRATION  BY  SERGE  BLOCH 


March  2003  www.csoonline.com  45 


Federal  Agencies 


or  a  moment,  imagine  your  company’s  security  shortcomings 
splashed  all  over  C-SPAN,  CNN  and  the  major  networks.  The  broadcasters  aren’t  exposing  a  genuine  secu¬ 
rity  breach;  your  customers’  records  remain  uncompromised.  Yet  they’re  probing  the  details  of  even  the 
smallest  of  your  systems’  potential  risks.  In  the  hands  of  TV  journalists  trained  to  play  up  those 


facts  most  likely  to  rouse  viewers,  and  there¬ 
fore  inflate  ratings,  the  risks  are  morphing 
into  hypothetical  but  alarming  worst-case 
scenarios  right  before  your  eyes.  To  make  mat¬ 
ters  worse,  this  unwanted  press  has  arrived 
after  your  corporation's  potential  pitfalls  were 
magnified  to  many  times  their  size  in  official 
security  scorecards,  prepared  by  outside  audi¬ 
tors  and  delivered  into  the  hands  of  savvy 
politicians— many  of  whom  are  out  to  show 
that  they  are  looking  out  for  the  best  interest 
of  the  shareholders— and,  ultimately,  the  vot¬ 
ers.  These  lawmakers  are  long  familiar  with 
the  power  of  a  dramatic  press  release. 

Maybe  it’s  an  unlikely  scenario  for  you  and 
your  company,  but  it’s  a  situation  facing  top  IT 
security  officials  in  our  federal  government 
today.  Every  year,  security  “report  cards”  are 
issued  to  the  media  by  lawmakers  on  Capitol 
Hill  whose  job  it  is  to  provide  oversight  for  the 
departments  of  Justice,  Transportation  and 
Treasury,  among  others.  The  annual  security 
tally  sheets  are  the  subject  of  public  hear¬ 
ings— some  of  them  televised— and  the  world 
is  informed  of  how  cabinet-level  agencies  are 
doing  in  terms  of  securing  the  systems  that 
touch  the  entire  nation. 

And  if  the  report  cards  are  any  indication, 
the  public  sector  is  doing  rather  poorly,  thank 
you,  when  it  comes  to  security.  Last  Novem¬ 
ber  the  entire  federal  government  received  an 
overall  failing  grade— again.  It’s  been  that  way 
since  1996  when  Congress’s  watchdog  audit¬ 
ing  agency,  the  General  Accounting  Office, 
began  calculating  the  grades.  In  the  most 
recent  report  card,  14  of  the  24  agencies 
tracked  by  GAO  scored  an  F,  and  only  two 
earned  a  middle-of-the-road  C.  The  Social 
Security  Administration  ranked  highest  in 
terms  of  its  overall  efforts  to  fortify  its  sys¬ 
tems  but  only  managed  to  pull  a  B-minus 

So  federal  security  officials  are  now  detail¬ 
ing  comprehensive  strategies  to  tighten  secu¬ 
rity  measures  across  their  organizations. 
Collectively,  their  plans  to  improve  security 


seem  to  mirror  the  private  sector’s— many  are 
preparing  to  hire  CSOs  and  stepping  up  the 
use  of  external  audits. 

What  sets  the  plight  of  government  IT  secu¬ 
rity  executives  apart  from  the  private  sector, 
however,  is  their  dependence  on  the  notori¬ 
ously  long  and  circuitous  federal  purchasing 
and  budgeting  processes  that  is  bureaucracy. 

The  State  of  the  Feds 

Notwithstanding  the  abysmal  marks,  there  is 
little  evidence  that  the  federal  government  is 
really  doing  worse  than  the  private  sector.  The 
GAO  cites  an  April  2002  report  conducted 
by  the  Computer  Security  Institute  and  the 
FBI’s  San  Francisco  Computer  Intrusion 
Squad.  Although  the  majority  of  federal  agen¬ 
cies  polled  had  detected  security  breaches,  the 
report  found  the  same  was  true  of  major  cor¬ 
porations  also  included  in  the  review.  The 
study  mentions  news  reports  of  hacks  at 
NASA  and  of  military  networks.  Yet  major 
companies  also  suffered  serious  break-ins  dur¬ 
ing  the  same  time  frame. 

However,  Gartner  Research  Director  for 
Internet  Security  John  Pescatore  cautions, 
“[Security  measures]  really  are  a  lot  worse  in 
government,  and  federal  CIOs  should  learn 
from  the  private  sector.”  He  characterizes 
much  of  the  federal  government’s  approach  to 
security  as  less  than  robust.  This,  he  says, 
reflects  a  half-hearted  attempt  to  harness  the 
Internet  because  many  agency  leaders  are 
steeped  in  legacy  systems  and  business 
processes.  Ultimately,  such  an  underutiliza¬ 
tion  of  the  Internet  leads  to  a  more  relaxed 
approach  to  security,  since  an  executive  who 
undervalues  the  Web  is  likely  to  show  similar 
attitudes  toward  security,  Pescatore  says. 

“The  bottom  line  is  that  these  agencies  are 
not  doing  much  with  the  Web,”  he  says.  The 
market  pressure  that  a  Cisco  or  an  Intel  feels, 
for  example,  does  not  come  to  bear  on  a  fed¬ 
eral  agency.  “Let’s  face  it.  If  the  Cisco  site  goes 
down,  the  company  loses  money  hand  over 


fist,”  he  says.  “But  if  a  government  site  goes 
down,  nobody  really  notices.” 

Not  so,  say  others.  While  federal  security 
executives  will  acknowledge  that  the  govern¬ 
ment  may  never  get  to  the  level  of  security 
known  in  the  finance  industry,  for  example, 
they  say  that  government  isn’t  any  wrorse  than 
corporate  America  when  it  comes  to  security 
weaknesses.  “I  don’t  think  security  is  worse 
in  federal  agencies,”  says  Federal  Aviation 
Administration  CIO  Dan  Mehan.  “I  think  the 
problems  we  have  at  the  FAA  are  absolutely  as 
prevalent  in  the  private  sector.” 

“Government  security  may  get  more  press,” 
agrees  KeyCorp  CISO  Jim  Wade,  a  former  IT 
security  official  at  the  Federal  Reserve  and 
Department  of  Energy  who  now  spends  time 
with  federal  security  leaders  as  part  of  his  role 
on  a  Commerce  Department  security  over¬ 
sight  committee. 

Good,  Bad  or  Indifferent 

Though  Mehan,  Wade  and  others  make  a  case 
that  their  security  problems  are  shared  by  pri¬ 
vate  companies,  the  public  sector  is  far  dif¬ 
ferent  wrhen  it  comes  to  accountability.  While 
corporations  have  shareholders  and  customers 
to  answer  to,  federal  agencies  are  subject  to 
more  public  scrutiny  by  the  legislative  branch 
and  even  by  special  interest  groups  dedicated 
to  watching  federal  officials’  every  move,  espe¬ 
cially  when  it  comes  to  safeguarding  govern¬ 
ment  resources  financed  by  taxpayer  dollars. 

Consider  the  difficulties  facing  the  Depart¬ 
ment  of  Justice’s  CIO  and  acting  senior  IT 
security  official,  Vance  Hitch.  He  signed  on 
last  spring  to  address  internal  IT  security  mat¬ 
ters  across  more  than  30  DoJ  suborganiza¬ 
tions,  and  he’s  still  trying  to  bring  up  DoJ’s 
failing  security  grade.  Hitch  answers  ulti¬ 
mately  to  Attorney  General  John  Ashcroft. 
“When  I  came  in,  there  was  a  tremendous 
focus  on  the  issue  of  security,  especially  since 
[Ashcroft]  was  so  interested  in  IT  security,”  he 
recalls.  Hitch  knew  that  the  demands  placed 


46  www.csoonline.com  March  2003 


CASE  STUDY:  DEPARTMENT  QF  TRANSPORTATION 


Taking  the  Long  View 
on  Security  Reform 

LISA  SCHLOSSER,  the  Transportation  Department’s  associate  CIO  for  IT  security,  has 
gained  favorable  mentions  in  White  House  reviews  lately  for  her  efforts  to  tighten  IT 
security,  which  likely  helps  to  soften  the  blow  of  a  failing  grade  on  the  latest  federal 
security  report  card. 

As  DoT’s  first  senior-level  IT  security  official,  Schlosser  says  she  is  taking  a  long¬ 
term  approach  to  improvements.  “The  changes  we  have  made  were  done  on  a  three- 
year  plan  to  get  us  to  a  baseline  we  are  comfortable  with,”  she  says.  One  of 
Schlosser’s  first  moves  involved  spearheading  a  concerted  campaign  to  integrate 
security  into  the  agency’s  major  lines  of  business,  she  says.  “Making  security  a  part  of 
the  procurement  process  and  the  HR  process— that’s  the  kind  of  groundwork  we  laid 
last  year,”  she  explains.  The  DoT  now  demands  that  every  technology  purchase  be 
tagged  with  two  precautions:  Security  clauses  must  be  included  in  every  contract,  and 
vendors  must  undergo  background  investigations. 

“This  is  the  first  time  we  integrated  security  into  the  capital-planning  process,  so 
folks  took  that  seriously,  and  we  spent  a  lot  of  time  training  business  unit  leaders,” 
says  Schlosser.  From  that  process,  Schlosser  saw  immediately  how  important  it  was 
for  security  officials  to  convince  agency  personnel  of  the  value  of  their  services.  “The 
security  folks  have  to  add  value  to  business  processes  to  be  taken  seriously  and  for 
security  to  be  taken  seriously,”  she  says. 

One  way  Schlosser’s  staff  reached  out  to  prove  its  value  was  through  a  license  for 
vulnerability  scanning  tools.  “That  way  individual  operating  units  don’t  have  to  go  out 
and  negotiate  to  buy  the  technology.  And  having  one  enterprise  license  across  the 
business  units  saves  millions,”  she  explains. 

To  make  agency  employees  more  serious  about  security,  Schlosser’s  staff  helped 
devise  a  cybersecurity  handbook,  which  requires  DoT  personnel  to  sign  rules  of  behav¬ 
ior.  Contractors  are  also  served  with  a  set  of  security  policies  and  guidelines. 

In  the  end,  such  tangible  strides  toward  increased  security  outweigh  the  agency’s 
marks  on  annual  reviews,  she  continues.  “I  feel  a  little  more  comfortable  with  our  pro¬ 
gram,  and  I  focus  more  on  that  feeling  than  on  the  rating.  We  are  implementing  a  strat¬ 
egy  that  I  think  will  put  us  ahead  of  the  game,”  she  says.  -J.J. 


on  him  would  stretch  beyond  the  borders  of 
his  agency.  In  the  wake  of  9/11,  the  DoJ  as  the 
pinnacle  of  law  enforcement  had  to  be  doubly 
vigilant,  and  the  agency’s  top  managers  were 
looking  to  Hitch  for  answers. 

Yet  federal  IT  security  executives  feeling 
the  heat  of  public,  congressional  and  admin¬ 
istrative  forces  admit  that  the  added  pressure, 
as  uncomfortable  as  it  is,  is  not  all  bad. 
“Increased  oversight  works  to  empower  fed¬ 
eral  leaders  to  make  necessary  changes,”  says 
Lisa  Schlosser,  the  Department  of  Trans¬ 
portation’s  associate  CIO  for  IT  security. 
“Overall,  it  has  been  a  good  motivator  for  the 
department,  and  we’ve  spent  more  time  on 
these  issues.”  In  fact,  the  security  mandates  as 
outlined  in  new  laws  prescribing  federal  secu¬ 
rity  provisions  amount  to  a  clear  sense  of  what 
the  White  House  and  Congress  expect  in 
terms  of  changes,  she  says. 

Nor  does  the  DoJ’s  Hitch  resent  the  high 
level  of  attention  now  given  to  IT  security.  “I 
firmly  believe  we  need  to  do  the  things 
required  by  [the  new  laws].  We  are  in  no  way 
opposed  to  them.  In  fact,  we’re  pushing  for 
them.  Because  of  the  importance  that  is  being 
placed  on  these  requirements,  we  can  use  the 
[laws]  as  a  hammer  or  a  wedge,”  he  says.  That 
is,  Hitch  and  others  can  use  pressure  from 
the  White  House  and  Congress  to  get  agency 
managers  in  charge  of  major  business 
processes  to  make  necessary  security  changes. 
These  requirements  also  come  in  handy  at 
budget  time,  when  the  agency  is  justified  in 
asking  Congress  how  it  is  to  pay  for  the 
improvements  lawmakers  want  to  see. 

In  terms  of  specific  weaknesses,  a  Novem¬ 
ber  2002  GAO  report  (titled  “Computer  Secu¬ 
rity:  Progress  Made,  But  Critical  Federal 
Operations  and  Assets  Remain  at  Risk”) 
detailed  federal  soft  spots  in  six  broad  cate¬ 
gories: 

■  Security  program  management 

■  Access  controls 

■  Software  development  and  change 
controls 

■  Segregation  of  duties 

■  Operating  systems 

■  Service  continuity 

The  practical  security  risks  associated  with 
these  areas  include,  among  other  things,  prob¬ 
lems  with  tracking  prisoners  and  possible 


breaks  in  IRS  systems  to  “obtain  personal  tax¬ 
payer  information  and  use  it  to  commit  finan¬ 
cial  crimes  in  taxpayers’  names,”  according  to 
the  report.  Along  with  the  continuous  pres¬ 
sures  that  the  GAO  and  Capitol  Hill  have 
exerted  during  recent  years,  agencies  must 
now  also  endure  increased  vigilance  from  the 
White  House,  especially  as  internal  IT  security 
has  become  tightly  aligned  with  antiterror¬ 
ism  and  homeland  security  efforts. 

Recently  renewed  legislation  plasters 
agency  IT  security  reviews  into  the  highly  vis¬ 
ible  Executive  Branch  Management  Score- 
card.  President  Bush  and  his  staff  in  August 
2001  came  up  with  the  idea  of  using  their  own 
scorecards  to  show  how  agencies  were  doing 
in  their  efforts  to  improve  targeted  programs. 
While  the  scorecards  are  available  to  the  pub¬ 


lic,  Bush  has  promised  to  routinely  deliver 
them  to  the  Office  of  Management  and  Bud¬ 
get,  which  has  authority  in  devising  Bush’s 
spending  plans  for  each  agency.  (For  a  look  at 
a  sample  scorecard,  see  www.whitehouse.gov/ 
omb/memoranda/ m02-02scorecard.pdf.)  The 
scorecards  are  supposed  to  help  strength¬ 
en  accountability  and  provide  a  means  to  track 
each  major  agency’s  progress  in  areas  such  as 
financial  management,  use  of  the  Internet  and 
now  IT  security. 

Involving  the  White  House  in  federal  secu¬ 
rity  matters  started  in  earnest  with  a  law  called 
the  Government  Information  Security  Reform 
Act  of  2000  (GISRA),  which  was  passed  as  a 
trial  move  to  test  the  benefits  of  increased  over¬ 
sight.  However,  a  new  law  called  The  E-Gov- 
ernment  Act  of  2002  was  signed  in  December 


March  2003  www.csoonline.com  47 


Federal  Agencies 


and  included  agency  IT  security  provisions 
originally  drafted  as  the  Federal  Information 
Security  Management  Act  (FISMA)  of  2002. 
When  this  law  passed,  GISRA's  stepped-up 
executive  branch  oversight  became  permanent, 
meaning  that  federal  security  executives  must 
get  used  to  stringent  accountability  measures 
from  both  branches  of  government.  For  its 
part,  OMB  is  now  charged  with  setting  policies, 
standards  and  guidelines  for  every  agency’s 
information  security. 

But  along  with  making  more  demands  on 
agency  security,  the  laws  seek  to  provide  fed¬ 
eral  security  executives  with  the  tools  that  they 
need  to  evaluate  their  own  efforts  to  address 
security  weaknesses.  For  instance,  the  Com¬ 
merce  Department’s  National  Institute  of 
Standards  and  Technology  (NIST)  issued 
“Security  Self-Assessment  Guides,”  a  frame¬ 
work  methodology  now  used  by  agencies.  The 
idea  was  to  devise  a  barometer  that  agencies 
could  use  to  gauge  the  results  of  new  initiatives, 
though  some  sources  say  the  self-assessments 
can  be  a  double-edged  sword.  For  example, 
OMB  reported  the  results  of  the  first  set  of 
agency  self-assessments  for  2001,  and  the 
White  House  used  agency  self-assessments 
against  officials,  knocking  them  for  not  get¬ 
ting  a  handle  on  a  series  of  common  security 
weaknesses.  Among  other  things,  OMB  cited 
a  general  lack  of  senior  management  atten¬ 
tion  to  security,  limited  training  of  internal 
and  external  personnel  and  the  absence  of 
strong  security  measures  to  protect  services 
provided  by  contractors. 

Feel  the  Heat 

Official  reports,  however,  don’t  tell  the  whole 
story.  Even  those  critical  of  government  secu¬ 
rity  efforts  find  fault  with  the  grading  criteria, 
which  hinge  on  self-evaluation  instead  of 
external  audits.  This  practice  is  likely  an  incen¬ 
tive  for  some  less-than-objective  behaviors  on 
the  part  of  agency  officials  asked  to  evaluate 
themselves.  “Government  security  managers 
tend  to  overstate  security  problems  to  justify 
increased  funding,”  says  Gartner’s  Pescatore. 

Keeping  political  decision-makers’  atten¬ 
tion  on  internal  IT  security  has  become  a  goal 
of  federal  executives  such  as  FAA’s  Mehan, 
especially  as  internal  IT  security  challenges 
go  head-to-head— in  the  budget  and  else¬ 
where—  with  other  dramatic  national  risks. 


CASE  STUDY:  DEPARTMENT  QF  JUSTICE 

Priorities  in  the  Balance 

CHARGED  WITH  IMPROVING  security  operations  at  an  agency  with  literally  hundreds 
of  systems,  DoJ  CIO  and  acting  senior  IT  security  official  Vance  Hitch  realized  right 
away  that  he  would  have  to  pick  his  battles  carefully. 

“I  had  to  develop  a  plan  that  would  give  me  the  most  bang  for  my  buck.  That  meant 
setting  priorities,”  he  explains.  “At  certain  times,  I  am  willing  to  acknowledge  that 
there  may  be  a  risk,  but  that  risk  is  not  high  enough.  For  instance,  if  I  identify  10  prob¬ 
lems  and  isolate  each  one,  I  may  well  find  that  by  fixing  five  of  them,  I  can  cover  95 
percent  of  what  I  set  out  to  do.” 

One  of  Hitch's  first  moves  was  to  encourage  each  of  the  agency’s  many  organiza¬ 
tions  to  incorporate  more  external  certification  and  accreditation  audits,  and  begin  a 
course  for  adopting  technology  such  as  intrusion  detection. 

Hitch  is  also  demanding  that  all  agency  IT  procurements  be  primed  with  security 
provisions.  “If  they  haven’t  demonstrated  security  measures  in  the  project  descrip¬ 
tions,  they  will  have  to  before  I  approve  it,”  he  says. 

By  tying  approval  and  funding  to  security,  Hitch  accomplishes  more  than  oversight, 
since  that  also  allows  him  to  impose  a  measure  of  uniformity  across  vastly  disparate 
DoJ  systems. 

One  of  Hitch’s  more  immediate  goals  now  is  to  put  in  place  a  CSO  equivalent  to 
maintain  the  agency’s  current  focus  on  security.  "I  think  I  need  a  central,  high-level 
person  who  is  responsible  to  me  for  these  issues.  That  will  be  a  leader  in  the  eyes  of 
[DoJ's]  components— a  person  who  will  give  tough  answers  that  agency  personnel 
need  to  hear  in  order  to  devote  some  of  their  energies  to  this  area.”  -J.J. 


“With  threats  like  nuclear,  biological  and 
chemical  warfare,  we  realize  that  we’ve  got  to 
work  hard  to  keep  an  emphasis  on  IT  secu¬ 
rity,”  he  says.  But  the  fact  remains  that  pro¬ 
tecting  the  computer  systems  that  support  the 
nation’s  airways  is  as  important  as  guarding 
against  outbreaks  of  smallpox. 

Still,  a  test  of  the  government’s  attention 
span  for  agency  IT  security  may  well  happen 
in  the  coming  months  as  the  administration 
moves  to  assemble  the  Department  of  Home¬ 
land  Security,  a  massive  organizational  feat 
that  will  stitch  together  the  missions  of  22 
agencies.  Though  the  administrative  chaos 
resulting  from  this  move  may  be  a  temporary 
distraction  from  efforts  to  improve  internal 
security,  the  forging  of  the  Department  of 
Homeland  Security  is  also  a  chance  for  the 
government  to  put  its  mark  on  the  security 
industry,  some  sources  say. 

“Senior  staff  will  set  the  direction  in  choos¬ 
ing  internal  safeguards  and  will,  therefore, 
influence  decisions  across  critical  infrastruc¬ 
tures,”  notes  KeyCorp’s  Wade.  “Government 
will  have  to  lead  by  example.  We’re  seeing 
that  happening  more  and  more.” 

But  will  it  be  enough?  For  change  to  take 


place,  agencies  will  first  need  healthy  IT  secu¬ 
rity  budgets.  According  to  government  sources, 
those  budgets  are  just  now  beginning  to  mate¬ 
rialize.  The  DoJ’s  budget,  which  includes  tech 
spending  across  all  DoJ  agencies  such  as  the 
FBI  and  Drug  Enforcement  Agency,  got  a 
healthy  bounce  in  last  fiscal  year’s  budget,  and 
the  agency  is  hoping  for  another  spike,  Hitch 
says.  Specifically,  DoJ’s  security  spending  went 
from  3.8  percent  of  the  agency’s  total,  which  is 
about  $2  billion,  in  fiscal  year  2001  to  5.1  per¬ 
cent  in  fiscal  year  2002.  “I  was  shocked  it  was 
initially  that  far  below  average,”  says  Hitch  of 
the  budget  figures  he  walked  into  when  he  first 
took  his  post. 

Hitch  claims  he  still  needs  another  boost  to 
be  able  to  do  things  like  increase  his  IT  secu¬ 
rity  staff  from  eight  to  20  or  so  individuals. 
Now  strapped  for  talent,  DoJ  supplements  its 
internal  efforts  with  contractors,  an  approach 
mirrored  by  other  agencies.  For  instance,  the 
U.S.  Agency  for  International  Development 
has  five  of  its  60  internal  IT  employees  dedi¬ 
cated  full  time  to  security  but  has  access  to 
about  220  contracted  staff,  according  to  John 
Streufert,  USAID’s  information  systems  secu¬ 
rity  officer,  a  newly  created  position  reporting 


48  www.csoonline.com  March  2003 


to  the  agency’s  CIO.  “Other  staff  members  are 
working  on  projects  that  are  primarily  tar¬ 
geted  at  IT  security  benefits,  such  as  virtual 
private  networks  and  encrypted  dial-in  from 
home,”  he  says. 

The  Department  of  Transportation  histor¬ 
ically  spends  about  2  percent  of  its  IT  budget 
on  security,  which  trails  the  average  of  5  per¬ 
cent  to  8  percent  across  private  industry,  notes 
Schlosser.  “We  are  definitely  looking  to 
increase  that,”  she  says.  DoT’s  FAA  has  a  secu¬ 
rity  budget  that  hangs  at  about  3  percent  of  its 
roughly  $2  billion  overall  budget,  a  figure  offi¬ 
cials  there  say  they  are  hoping  to  boost  in  the 
coming  year  as  well. 

Tighten  the  Purse  Strings 

That  the  federal  government  lags  behind  the 
private  sector  in  security  spending  as  a  per¬ 
centage  may  be  only  one  financial  factor  con¬ 
tributing  to  any  security  shortcomings. 
Another  is  likely  the  manner  in  which  the  gov¬ 


ernment  has  gone  about  paying  for  its  security 
efforts,  according  to  Gartner’s  Pescatore.  “The 
whole  idea  in  government  is  to  sprinkle  secu¬ 
rity  in  at  the  end,”  he  says. 

That  after-the-fact  approach  to  security  is 
an  outgrowth  of  the  rigid  budgeting  process, 
Pescatore  says.  For  instance,  the  federal 
budget  that  governs  spending  at  all  agencies 
breaks  down  funding  into  two  major  cate¬ 
gories:  ongoing  and  supplemental  expenses. 
Congress  and  the  Bush  administration  have 
approached  IT  security  by  setting  aside  “sep¬ 
arate  pots”  of  supplemental  monies,  says 
Pescatore. 

Few  security  professionals  would  argue  that 
federal  budgeting  and  procurement  processes 
have  left  their  mark  on  the  individual  agency’s 


attempts  to  reform  security  practices.  And 
KeyCorp’s  Wade  agrees  that  lumping  secu¬ 
rity  resources  into  extra,  supplemental  fund¬ 
ing  kept  separate  from  basic  funding  for 
mission-critical  operations  contributes  to  the 
government’s  problems.  “If  IT  security  fund¬ 
ing  isn’t  part  of  the  baseline,  then  it’s  not  tied 
to  compliance  requirements.  It  becomes— and 
I  almost  hate  to  say  this— optional  or  discre¬ 
tionary,”  he  says.  In  other  words,  because  IT 
security  is  not  hooked  into  the  funding  for  the 
agency’s  central  business  processes,  which  are 
subject  to  set  requirements,  the  fate  of  this 
funding  is  not  guaranteed. 

In  addition,  some  cite  the  technology 
industry’s  initial  tendency  to  view  security  as 
not  important  enough.  “In  a  lot  of  respects, 
part  of  the  basis  for  our  problems  is  the  fact 
that  products  in  the  past  have  not  been  built 
with  security  in  them,”  says  FAA’s  Mehan. 

However,  now  that  federal  decision-makers 
and  the  technology  industry  seem  strongly 


focused  on  security,  agencies  are  speeding 
toward  the  use  of  beefed-up  firewalls  and  net¬ 
work  security  auditing  solutions,  according 
to  Pescatore.  At  Transportation  and  Justice, 
areas  of  technology  that  are  of  particular  inter¬ 
est  include  analytical  tools  to  allow  officials  to 
do  a  better  job  of  gatekeeping.  Intrusion 
detection  is  another  area  showing  signs  of 
increased  federal  interest.  And  DoT  is  turning 
to  MIT’s  Lincoln  Laboratory  for  mathemati¬ 
cal  and  sniffing  tools  that  would  process  the 
mounds  of  data  gleaned  from  intrusion- 
detection  activities,  officials  say. 

Justice  officials  have  looked  to  maximize 
volume  buying  power  by  centralizing  the  pur¬ 
chase  of  intrusion-detection  tools.  Hitch’s  staff 
has  put  in  place  contracting  vehicles  for  IDS 


technology  for  all  DoJ  organizations  to  use  in 
an  effort  to  impose  uniformity  and  make  the 
technology  easier  to  adopt. 

“It’s  funny,”  Pescatore  says,  “just  as  the  pri¬ 
vate  sector  is  discovering  that  intrusion  detec¬ 
tion  doesn’t  always  do  what  it’s  supposed  to 
do,  federal  officials  are  leaping  into  intrusion 
detection  in  a  big  way.” 

But,  like  private  companies,  use  of  biomet¬ 
rics  and  smart  cards  is  also  increasing  in  the 
federal  arena.  In  fact,  DoT’s  Schlosser  cites 
smart  cards  as  a  technology  where  federal 
buying  practices  could  prove  a  help  rather 
than  a  hindrance.  Specifically,  DoT  will  con¬ 
sider  using  the  General  Services  Administra¬ 
tion’s  existing  smart  card  contract,  to  fulfill 
requirements.  Because  GSA  has  already 
jumped  through  all  the  contracting  hoops, 
Schlosser  and  others  at  DoT  could  simply 
place  orders  for  the  technology  and  speed  up 
adoption  immensely.  The  DoT  has  also  com¬ 
bined  forces  with  the  FAA  to  forge  an  enter¬ 
prise  license  for  vulnerability  scanning  tools. 

Yet  despite  the  value  of  private  contractor 
involvement  in  these  areas  and  others  such 
as  security  auditing,  DoJ’s  Hitch  preaches  the 
value  of  internal  accountability  and  warns 
government  officials  not  to  outspend  their 
security  challenges.  “For  best  practices  and 
broad-based  experience,  you  can’t  delegate 
responsibility,”  he  says.  “Security  is  a  never- 
ending  problem.  It  is  a  hole  you  never  get  out 
of,  since  life  in  IT  security  means  that  new 
things  and  new  risks  always  arise.” 

Indeed,  lawmakers  may  soon  realize  that 
federal  IT  security  is  not  pass/fail,  and  that 
progress  toward  new  security  goals  arguably  is 
measured  by  shades  of  gray  and  by  the  details 
that  make  up  each  effort  to  revamp  business 
processes  or  adopt  new  technology.  Until 
then,  there’s  always  next  semester  to  bring 
the  grades  up.  ■ 

Jennifer  Jones  is  a  freelance  writer  based  in  Vienna,  Va. 
Send  comments  to  csoletters@cxo.com. 


For  more  information  about  public  sector 
security,  visit  CSOonline's  LEGISLATION  & 
POLICY  RESEARCH  CENTER.  There,  you'll 

find  more  articles  about  security  in  other 

;  '  ^  I-'.-*  '-" '>  ‘4 

government  agencies  and  resources  on  the 

law  and  security  standards.  Go  to 

www.csoonline.com/legislation 


Whether  more  or  less 
prevalent  than  in  the  private 
sector,  government  security 
problems  have  been  spelled 

out  for  all  to  see. 


March  2003  www.csoonline.com  49 


■Pf  Locations  in:  Ft.  Lauderdale,  FL  [  New  York  Metro  |  Columbus,  OH  |  San  Diego,  CA  |  Washington,  DC  Metro 
INTENSE  SCHOOL  -  8211  W.  BROWARD  BLVD  FORT  LAUDERDALE,  FL  33324  Ph.888-328-8093  www.intenseschool.com 


iuJ  tensi 

Powerful  SCwhOOl 


ITTraining  & 
Certification 


mmam 

I 


CISSP®  In  7  Days 
Advanced  Forensics  In  3  Days 
Professional  Hacking  In  7  Days 
CWNA/CWSP  Wireless  Security  In  10  Days 

Security+/TICSA  In  6  Days 
Check  Point  In  6  Days 
CCSP®  In  12  Days 


Technologies^  Tools 
and  Tactics 


Tools  of  Evidence 

Computer  forensic  tools  now  make  it  possible  to  more  easily  search  for— and  find- 

evidence  on  hard  drives  By  Simson  L.  Garfinkel 


UCH  OF  THE  U.S. 
government’s  case  in  Criminal  No.  01-455-A 
will  be  based  on  digital  evidence  found  on  the 
defendant’s  computer  hard  drives.  The  case, 
better  known  as  United  States  v.  Zacarias 
Moussaoui,  is  the  government’s  high-profile 
terrorism  trial  against  the  alleged  “20th 
hijacker.’’  Among  the  evidence  that  the  gov¬ 
ernment  has  in  its  possession  are  so-called 
disk  images  from  two  laptop  computers,  one 
belonging  to  Moussaoui,  the  other  to  his 
roommate  Mukkarum  Ah.  Also  in  evidence: 
images  of  two  computers  from  the  University 
of  Oklahoma,  where  at  least  one  of  Mous- 
saoui’s  roommates  attended  classes. 


The  government’s  use  of  computer  evi¬ 
dence  in  this  case  isn’t  surprising— such  evi¬ 
dence  is  increasingly  being  used  in  both 
criminal  and  civil  matters.  In  criminal  cases, 
computer  evidence  gives  investigators  and 
prosecutors  a  way  of  looking  back  through 
time  and  into  the  mind  of  a  criminal  defen¬ 
dant.  Such  evidence  is  invariably  admitted  by 
courts,  and  it  can  be  incredibly  damaging  to 
the  defense— it  convicts  the  defendant  with 
his  own  words. 

But  finding  those  words  can  be  quite  a 
challenge.  It’s  not  likely  that  a  captured  com¬ 
puter  will  have  a  fde  on  its  desktop  named 
“PlanstoBombtheWorldTradeCenter.doc.” 


No,  incriminating  information  needs  to  be 
painstakingly  searched  for,  cataloged  and 
recorded.  What’s  more,  an  investigator  needs 
to  be  able  to  document  that  the  “found”  evi¬ 
dence  wasn’t  actually  planted  on  the  sus¬ 
pect’s  computer  by  the  police. 

A  challenge,  yes,  but  one  that’s  eminently 
doable,  thanks  to  a  new  generation  of  com¬ 
puter  forensic  tools  now  available. 

To  understand  how  these  tools  work,  it’s 
important  to  know  the  basics  of  how  infor¬ 
mation  is  stored  on  modern  computers.  The 
hard  drive  that  is  inside  almost  every  laptop 
and  desktop  computer  in  use  today  is  a 
tremendously  sophisticated  piece  of  engi- 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


March  2003  www.csoonline.com  51 


neering,  with  the  ability  to  store  millions 
of  e-mail  messages,  documents,  photo¬ 
graphs  and  the  like.  But  fundamentally, 
every  hard  disk  stores  information  as  a 
series  of  512-byte  units  that  are  called 
blocks.  A 10GB  hard  drive  has  20  million 
of  them. 

When  you  format  a  hard  drive  with 
Windows,  the  operating  system  scans  the 
entire  disk  to  see  if  any  of  the  blocks  are 
bad.  It  then  writes  an  empty  directory  at 
the  beginning  of  the  disk.  This  will 
become  your  computer’s  C  directory. 
When  you  save  a  file  on  the  drive,  some 
of  the  blocks  get  dedicated  to  that  file;  a 
name  is  then  put  in  the  directory  that 
points  at  these  blocks.  When  you  try  to 
read  a  file,  the  computer’s  operating  sys¬ 
tem  follows  that  pointer.  When  you 
delete  the  file,  the  pointer  is  erased. 

For  years,  the  only  practical  way  for 
analyzing  the  data  on  a  seized  computer 
was  to  use  the  computer  itself  for  ana¬ 
lyzing  its  own  disks.  Investigators  would 
start  in  the  root  directory  and  look 
around;  the  better  investigators  would 
use  tools  that  could  search  files  for  key¬ 
words  or  make  a  list  of  every  file  on  the 
computer  by  file  type  or  modification 
date.  Deleted  files  could  be  “undeleted” 
with  Norton  Utilities,  but  that  was  about 
the  limit  of  many  forensic  investigations. 

Modern  forensic  tools  begin  where  the 
computer’s  own  tools  leave  off.  For 
starters,  instead  of  working  on  a  disk 
drive  itself,  tools  work  on  a  block-for- 
block  copy  of  the  drive  called  a  drive 
image  file.  You  can  make  a  drive  image 
with  special  software  or  with  special- 
purpose  hardware.  If  you  have  access  to 
a  computer  running  Unix  or  Linux,  you 
can  make  that  image  file  with  the  dd 
command.  For  the  Moussaoui  case,  the 


original  hard  drive  was  copied  onto 
another  hard  drive  using  a  Logicube 
SFK-OOOA  handheld  disk  duplicator; 
this  master,  in  turn,  is  used  to  create  the 
image  files. 

When  making  an  image  copy,  the 
investigator  also  records  the  crypto¬ 
graphic  checksum  of  the  drive  and  its 
copy.  Typically  this  is  done  using  the 
MD5  algorithm;  if  both  MD5  codes 
match,  then  the  investigator  can  testify  in 
court  that  the  copies  are  identical.  (In 
the  case  of  Moussaoui’s  Toshiba  laptop, 
the  drive  image  was  made  using 
SafeBack;  it  had  an  MD5  code  of 
del2b076f9d6ccl68fe3344dcle07c58.) 

Once  you’ve  got  that  image  file,  you 
have  a  lot  of  choices.  You  can  use  a  func¬ 
tion  like  Unix  “strings”  to  search  through 
the  file  and  display  every  printable  string. 
Among  other  things,  that  will  show  you 
the  content  of  e-mail  messages,  Microsoft 
Word  files  and  so  on.  With  some  versions 
of  Linux  and  BSD-based  operating  sys¬ 
tems,  you  can  actually  mount  an  image 
file  as  a  file  system.  That  will  show  you  all 
of  the  files  that  you  could  see  if  you  had 
sat  down  at  the  original  computer. 

But  if  you  want  to  really  look  inside  the 
image,  use  a  special-purpose  forensic 
tool.  The  best  free  tool  out  there  is  Task, 
written  by  Brian  Carrier,  based  on  a  pro¬ 
gram  called  TCT,  by  Dan  Farmer  and 
Wietse  Venema.  Task  lets  you  step 
through  the  image,  recover  deleted  files 
and  create  a  time  line  showing  when  each 
file  was  created,  last  modified  and  last 
accessed.  Task  is  a  great  way  for  people 
interested  in  computer  forensics  to  get 
their  first  glimpse  of  this  world. 

If  forensics  is  your  business— rather 
than  your  hobby— then  you  will  almost 
certainly  want  to  get  one  of  the  profes- 


Incriminating  information  needs  to  be 
painstakingly  searched  for,  cataloged  and 
recorded.  What’s  more,  an  investigator  must 
document  that  the  “found”  evidence  wasn’t 
actually  planted  by  the  police. 


Images  Are 
Everything 

VISITORS  TO  THE  United  Kingdom  often  comment 
on  the  prevalence  of  surveillance  cameras  “over 
there.”  The  United  States  is  playing  catch-up  in  that 
area,  which  of  course  has  privacy  wonks  in  a  lather. 
For  those  charged  with  catching  (or  deterring)  crime 
through  picture-taking,  a  number  of  new  products 
advance  the  state  of  the  art. 

Cleaner  Cabling 

Simpler  is  always  better,  right?  Traditional  closed- 
circuit  video  cameras  require  three  cables:  one  for 
power,  one  for  the  video,  and  one  for  the  controls  that 
move  and  aim  the  camera.  Anixter  has  now  created 
Closed-Circuit  Twisted  Pair  (CCTP)  video,  which  runs 
all  three  over  a  single  high-performance  cable.  The 
resulting  system  is  not  only  simpler  but  also  compati¬ 
ble  with  standard  IP-based  networks,  which  means 
it’s  easier  to  connect  the  surveillance  system  to  exist¬ 
ing  corporate  networks,  if  need  be. 

Anixter  is  quick  to  point  out  that  the  product  is 
Underwriter  Laboratories-certified,  so  that  running 
power  over  the  network  won’t  blow  it  up  or  start  a 
fire-which  is  one  mark  of  a  good  system  in  our  book. 

For  more  information,  go  to  www.anixter.com. 

-Derek  Slater 

Smarter  Video 

Speaking  of  IP-based  surveillance,  ObjectVideo  is 
hoping  to  help  such  systems  smarten  up.  The  com¬ 
pany’s  product,  Video  Early  Warning,  attempts  to 
remove  the  single  greatest  headache  that  motion 
detection  video  has  produced:  false  positives. 

The  company  does  that  by  using  object-based 
technology  to  create  thresholds  on  a  reasonably  static 
surveillance  image.  For  example,  if  there’s  a  door  in 
the  frame,  the  user  can  create  a  rule  that  tells  the  sys¬ 
tem  to  ignore  motion  unless  it  crosses  the  threshold 
of  the  door.  A  camera  fixed  on  an  outdoor  perimeter 
will  ignore  birds  that  fly  through  the  frame  but  pick  up 
on  a  lingering  boat.  The  software  also  picks  up  on  a 
change  of  state.  A  bag  that  suddenly  becomes  sta¬ 
tionary  at  an  airport,  for  example,  could  sound  an 
alarm.  Or  a  piece  of  art  that  never  moves  suddenly 
moves,  and  the  alarms  go  off. 

CSOs,  though,  will  likely  embrace  the  post-event 
capabilities  more  than  anything.  Archived,  highly 
compressed  video  is  stored  in  a  database,  making 


52  www.csoonline.com  March  2003 


CompTIA 

Certifications 


A+'“ 
Network*-" 
Security*- “  ◄ 
i-Net*-™ 
Server*- “ 
CDIA+™ 
Linux*- 
IT  Project*- “ 

C  TT+“ 
e-Biz+" 
HTI+“ 


Knowledge  is  our  biggest  weapon 


Jeff  Recor,  President,  Olympus  Security  Group 


§§l!jl 

% 

f'VVTi 

spl 

IpliB 

B 

Your  Defense  Against  flackers,  Attackers  and  Thieves 

professionals,  Security*  incorporates  a  comprehensive  range  of 

security  knowledge  areas.  Take  the  necessary  steps  to  maintain 

Neither  technologies  nor  policies  alone  offer  effective  protection 

the  integrity  of  your  organization's  communications,  infrastructure  i 

9 

against  theft  and  destruction  of  intellectual  property.  Industry 

and  operations.  Certify  your  IT  workforce  today. 

•  '  ’  .' '  W  v'1'  .  "  I 

and  governments  alike  must  have  a  well-trained  IT  workforce  to 

For  more  information,  visit  www.comptia.org  or  call  630-678-8300. 

effectively  combat  hackers,  attackers  and  security  threats. 

CompTIA’s  Security-*-  is  the  standard  validation  for  that  workforce. 

Recognized  as  the  benchmark  for  foundation-level  security 

CompTIA 

I 


SECURITY*  AND  OTHER  COMPTIA  CERTIFICATION  EXAM  COSTS  ARE  REIMBURSABLE  TO  MILITARY  PERSONNEL  THROUGH  THE  G. I  BILL  AND  DANTES  PROGRAMS.. 


sional  tools  on  the  market.  Two  of  the 
best  are  EnCase,  by  Guidance  Software 
(roughly  $2,495  per  user),  and  the  Foren¬ 
sic  ToolKit  (FTK),  by  AccessData  ($595). 

Although  EnCase  and  FTK  are  very 
different  programs,  they  have  a  surprising 
amount  of  overlapping  functionality.  Both 
programs  run  on  Windows  and  require 
that  you  have  a  dongle  installed  on  your 
system  to  deter  software  piracy.  (Ironi¬ 
cally,  law  enforcement  investigators  have 
a  terrible  reputation  when  it  comes  to 
software  piracy.)  Both  let  you  do  searches 
for  particular  strings  and  file  types.  Both 
let  you  view  regular  files,  deleted  files  or 
examine  the  part  of  the  hard  drive  that 
isn’t  mapped  to  any  file  at  all.  Both  will  log 
the  operator’s  actions  and  allow  you  to 
prepare  a  professional  report.  Indeed, 
both  of  these  programs  have  a  ton  of  func¬ 
tionality:  Reading  the  manual  is  not 
enough.  To  get  the  best  use  out  of  these 
programs,  you’ll  need  to  take  the  training 
offered  by  the  companies. 

To  start  using  these  programs,  create 
a  new  investigation  “case”  and  then  add 
evidence.  FTK  lets  you  add  images,  files, 
directories  or  disks  that  are  attached  to 
the  computer.  EnCase  allows  you  to 
acquire  from  a  raw  file  or  from  another 
computer,  either  over  a  network  or  by 
using  a  special  cable  that  the  company 
provides.  EnCase  adds  images  quickly, 
allowing  you  to  go  about  the  business  of 
hunting  for  data  faster.  FTK  is  much 
slower  at  adding  evidence— it  can  take 
half  an  hour  or  longer— but  it  painstak¬ 
ingly  searches  through  the  entire  disk, 
building  a  database,  indexing  all  the  text 
that  it  finds,  and  even  looking  inside  Zip 
archives  to  see  what  files  were  zipped  up. 

Once  the  evidence  is  added,  you  can 
use  these  tools  to  search  the  disk  image 
for  keywords,  e-mail  messages,  images 
and  more.  You  can  restrict  your  search  to 
files  that  were  or  were  not  deleted,  if  you 
wish,  as  well  as  to  a  particular  time  range. 

Not  surprisingly,  one  of  the  primary 
uses  of  these  tools  is  child  pornography 
investigations.  And  although  the  pro¬ 
grams  can’t  automatically  search  out 
pornography,  they  have  the  ability  to  dis¬ 
play  a  page  showing  all  of  the  .gifs  and 
.jpegs  that  were  discovered  in  the  image 


file— and  the  images  of  naked  people 
tend  to  be  obvious.  You  can  also  import 
a  database  of  MD5  codes  for  known  child 
pornography:  If  the  program  finds  a  file 
on  the  suspect  drive  image  with  a  match¬ 
ing  MD5  code,  an  alert  will  be  raised. 

Overall,  I  found  FTK  significantly  eas¬ 
ier  to  use  than  EnCase.  FTK  makes  it 
fairly  easy  to  navigate  through  the  file 
system  and  quickly  spy  on  the  file  con¬ 
tents.  Whereas  EnCase  relies  heavily  on 
external  file  viewers,  FTK  has  a  wide  vari¬ 
ety  of  viewers  built  into  it.  You  can  click 
on  a  button  labeled  Spreadsheets,  and 
FTK  will  display  a  list  with  every  found 
spreadsheet,  its  file  name,  the  applica¬ 
tion  that  created  it,  and  its  creation  date. 
Click  on  the  name,  and  the  spreadsheet 
itself  displays  in  a  different  file  pane. 
There  are  also  one-button  searches  for 
databases,  graphics  and  e-mail  messages. 
Click  on  an  Outlook  PST  file,  and  FTK 
will  decode  all  of  its  content  as  well, 
including  sent  e-mail,  journal  entries, 
tasks,  the  calendar  and  deleted  items. 

On  the  other  hand,  FTK’s  all-in-one 
design  can  cause  problems.  FTK  does  an 
excellent  job  rendering  webpages,  but 
that’s  because  the  program  uses  the  built- 
in  Windows  Control  for  displaying 
HTML.  This  can  cause  problems  with 
suspect  data:  At  one  point,  Windows 
started  hammering  me  with  JavaScript 
error  alerts  because  the  JavaScript  on  a 
hard  drive  that  I  was  analyzing  was  mal¬ 
formed. 

Serious  investigators,  of  course,  will 
want  both;  sometimes  one  program  will 
find  information  that  the  other  will  miss. 
Such  is  the  nature  of  all  forensic  tools— 
although  they  will  help  with  an  investi¬ 
gation,  they  do  not  automate  the  process. 

But  with  so  many  good  tools  for  find¬ 
ing  things  on  hard  drives,  you  would 
think  that  people  or  companies  throwing 
them  out  would  do  their  best  to  clean 
them.  As  we’ll  see  next  month,  that’s 
rarely  the  case.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  is  the  founder  of  Sandstorm 
Enterprises,  an  information  warfare  software  com¬ 
pany,  and  sits  on  its  board.  He  can  be  reached  at 
machineshopticxo.com. 


retrieval  of  relevant  frames  a  basic  database  query. 

As  smart  as  that  sounds,  ObjedVideo  says  the 
technology  is  evolving  so  rapidly,  it  will  get  even 
smarter  soon.  At  any  rate,  it  appears  the  days  of  a 
drowsy  security  guard  lording  over  tiny  black-and- 
white  closed-circuit  TVs  are  fading,  fast. 

-Scott  Berinato 


Frame 

Enhancement 

VideoDetective,  made  by  Pyramid  Vision  Technolo¬ 
gies,  is  a  briefcase-size  unit  that  can  be  used  to 
enhance  low-quality  video  images  by  culling  and  com¬ 
positing  details  from  several  different  frames.  Sample 
usage:  Convenience-store  holdups  are  frequently 
recorded  on  security  cameras,  but  over-used  VCR 
tapes,  poor  lighting  and  obstructed  views  often  make 
the  video  virtually  useless  in  identifying  the  thief.  With 
VideoDetective,  which  can  plug  into  a  squad  car  ciga¬ 
rette  lighter,  police  on  the  scene  can  immediately 
review  the  tape  and  select  the  frames  with  the  best 
view  of  the  perp;  the  unit  can  then  automatically  clar¬ 
ify  those  images  with  additional  details  from  sur¬ 
rounding  film  frames,  then  print  color  copies  for 
distribution  to  possible  witnesses  or  other  local  law 
enforcement. 

It  ain’t  cheap— costing  on  the  order  of  $50,000, 
according  to  one  customer-so  although  crime 
doesn’t  pay,  video  enhancement  surely  must.  Find 
more  details  at  www.pyramidvision.com. 

-Derek  Slater 


54  www.csoonline.com  March  2003 


CIO  Perspectives 

Powerful  Insights. 

Actionable  Ideas. 

Great  Networking. 


AN  AGENDA  FOR 
PROFESSIONAL 
AND  PERSONAL 
SUCCESS 

April  27-29, 2003 

Hyatt  Regency  Coconut  Point  Resort  &  Spa 
Bonita  Springs,  Florida 


As  information  technology  permeates  all 
areas  of  the  business,  CIOs  have  found  that 
they  are  expected  to  be  much  more  than 
technology  experts.  They  need  to  be  leaders, 
motivators,  communicators,  educators  and 
collaborators.  They  need  to  work  within  the 
organization’s  ethics,  values  and  culture, 
navigate  the  politics,  set  realistic 
expectations.  They  need  to  establish 
themselves  as  trusted  partners  throughout 
the  organization.  And  yes— they  still  need  to 
keep  current  with  technologies  that  will 
significantly  impact  the  business. 

Join  your  CIO  peers  as  we  explore  how 
to  hone  the  skills  you  need  to  become 
The  Complete  CIO. 


Visit  us  at  www.cio.com/conferences 
or  call  800  366-0246. 


The  Resource  for 
Information  Executives 


CIO  Perspectives'” 

Powerful  Insights. 

Actionable  Ideas. 

Great  Networking. 


THE  COMPLETE 

I  M%  AN  AGENDA  FOR  PROFESSIONAL 
VlV  AND  PERSONAL  SUCCESS 

Hyatt  Regency  Coconut  Point  Resort  &  Spa  •  Bonita  Springs,  Florida  •  April  27-29, 2003 


SUNDAY,  APRIL  27 

8:00  am-l:30  pm 

Golf  Tournament 

3:00  pm-5:00  pm 

Registration 

6:00  pm-8:00  pm 

Registration,  Welcome 
Reception  &  Golf  Awards 

MONDAY,  APRIL  28 

7:00  am-8:00  am 

Networking  Breakfast 

8:00  am-8:15  am 
Welcome 
ABBIE 
LUNDBERG, 

Editor  in  Chief, 

CIO  Magazine 
JONATHAN 
ZITTRAIN,  Con¬ 
ference  Moderator 
and  Cofounder, 

The  Berkman 
Center  for  Internet 
&  Society,  Harvard  Law  School 

8:15  am-9:15  am 
The  Complete  CIO 
CHARLIE  FELD, 

Founder,  The  Feld 
Group  &  Former 
CIO  of  First  Data 
Resources,  Delta 
Air  Lines,  Burling¬ 
ton  Northern  and 
Frito-Lay 

CIOs  increasingly  have  more  of  a 
hand  in  defining  and  driving 
coroorate  business  strategy.  And 
everyone— business  line  man¬ 
agers,  the  executive  management 
team,  the  CEO,  the  board  of 
directors— has  greater  expecta¬ 


tions  of  their  CIO.  What  are  the 
essential  skills  and  attributes 
needed  to  thrive  in  the  CIO  role 
today?  Charlie  Feld  talks  about  his 
own  experiences  over  time  as 
CIO  of  very  diverse  businesses, 
and  what  his  client  companies 
demand  today. 

9:15  am-9:40  am 

2nd  Annual  State  of  the  CIO 
Survey  Results  Highlights 

LORRAINE 
COSGROVE, 

Research  Editor, 

CIO  Magazine 

This  year's  exclusive 
survey  of  over  500  IT 
chiefs  reveals  a  very  different  set  of 
challenges  and  a  new  set  of 
priorities  from  a  year  ago.  We 
share  some  of  the  highlights. 


9:40  am-10:30  am 

View  from  the  Top: 
Creating  Value 
Through  IT 

NIGEL  MORRIS, 

Cofounder,  Presi¬ 
dent  &  COO, 
Capital  One  Corp. 


Morris  shares  his  viewpoint  on  the 
role  of  IT,  and  the  criteria  for 


measuring  a  CIO's  ability  to 


articulate  and  deliver  true  IT  value 
to  the  enterprise. 

10:30  am-ll:00  am 

Coffee  Break  and  Sponsor 
Exhibits 


11:00  am-12:40  pm 

Sponsor  Briefings 


12:45  pm-2:15  pm 

Networking  Lunch 


2:30  pm-3:45  pm 

Delivering  Value:  How  to 
Manage  Your  IT  Portfolio  and 
Make  a  Strong  Business  Case 

Participants: 

JACK  KEEN,  Coauthor,  Making 
Technology  Investments 
Profitable 

HOWARD  RUBIN,  Vice 
President,  META  Group,  Inc, 

In  today's  business  environment, 
it's  all  about  value.  And  it's  up  to 
the  CIO  to  make  sure  that  every  IT 
investment  delivers  maximum 
returns.  In  this  session,  we'll 
explore  how  to  build  the  portfolio 
that's  right  for  your  organization, 
how  to  manage  it  for  greatest 
business  benefit,  and  how  to  use  it 
as  an  effective  communications 
tool  with  your  business  partners. 
We'll  also  discuss  how  to  make  a 
compelling  business  case  for  new 
IT  initiatives— even  if  your  com¬ 
pany  is  in  cost-cutting  mode. 


3:45  pm-5:00  pm 

The  CIO  Interview 

MONTE  FORD 

Senior  Vice  Presi¬ 
dent  &  CIO,  Amer¬ 
ican  Airlines 

Ford  took  on  the  top  IT  spot  at  the 
world's  biggest  airline  at  the  end  of 
2000,  then  had  to  deal  with  the 
acquisition  and  merger  of  TWA,  the 
economic  recession,  Sabre  selling 
its  outsourcing  business  to  EDS— 
and  the  events  of  9/11.  CIO  maga¬ 
zine  Editor  in  Chief  Abbie  Lund- 
berg  talks  with  Ford  about  his 
pivotal  role  in  the  organization  and 
his  plans  for  the  future  of  IT. 


5:00  pm-6:30  pm 

CIO  Peer-to-Peer 
Networking  &  Reception 

TUESDAY,  APRIL  29 

7:00  am-8:00  am 

Breakfast  &  Informal 
Discussion  Roundtables 

8:00  am-8:45  am 
What  Every  CIO  Should 
Know  About  Digital  Rights 
Management 
JONATHAN  ZITTRAIN 
Entertainment  companies  aren't 
the  only  ones  with  digital  content 
worth  safekeeping.  More  compa¬ 
nies  now  are  realizing  the  potential 
threats  and  are  seriously  weighing 
the  risks  of  not  implementing 
digital  rights  management  (DRM) 
technologies.  Zittrain  explores 
recent  trends  in  DRM  deployment 
and  discusses  the  impact  on 
businesses  of  all  types. 

8:45  am-9:45  am 

Best  Practices  for  Getting 
Outsourcing  Right 

Moderator: 

MARTHA  HELLER, 

Director,  CIO  Best 
Practice  Exchange 
&  CIO  Select 

Any  CFO  will  tell  you 
that  the  more  you  outsource  the 
more  you  save.  But  as  CIO,  you 
know  the  pitfalls:  lowered  produc¬ 
tivity,  cultural  conflicts,  service 
level  problems,  to  name  only  a 
few.  This  panel  of  CIOs,  drawn 
from  the  CIO  Best  Practice 
Exchange,  our  online  network  of 
CIOs,  will  provide  best  practices 


for  determining  what  to  outsource 
when,  and  how  to  sell  the  strategy 
to  the  board. 


9:45  am-10:30  am 
Becoming  a  Trusted 
Business  Partner 
JERI  DUNN, 

Senior  Vice 
President  &  CIO, 

Tyson  Foods,  Inc. 

The  CIO's  sphere  of 
influence  has  never  been  larger. 
You  must  work  with  executive 
management  and  peers,  internal 
and  external  customers,  line  of 
business  directors,  staff  and 
vendors.  You  must  set  and  achieve 
both  strategic  and  tactical  goals, 
articulate  and  demonstrate  ROI, 
communicate  and  manage  expec¬ 
tations.  Dunn  shares  the  benefit  of 
her  experience. 


10:30  am  —11:00  am 

Coffee  Break  & 
Sponsor  Exhibits 


11:00  am-12:40  pm 

Sponsor  Briefings 

12:45  pm-2:00  pm 

Networking  Lunch 

2:15  pm-3:30  pm 
InFocus  Workshop 
Breakout  Sessions 

InFocus  Workshops  are  designed 
to  give  conference  attendees  the 
opportunity  to  meet  in  smaller 
groups,  and  discuss  specific  topics 
and  issues  in  greater  detail. 

InFocus  Workshop  #1 
Building  the  Right  Team:  Your 
Success  Depends  On  It 
JUDY  B.  HOMER, 

President,  JB 
Homer  Assoc. 

Building  the  right  IT 
team  may  not  be  an 
easy  task— but  as  a 
CIO  your  success  depends  on  it.  In 
today's  highly  competitive  technol¬ 
ogy  talent  market,  what  factors  do 
you  look  for  when  you  recruit  and 
build  your  team  that  will  contribute 
to  realizing  your  goals?  How  can 
you  become  a  more  effective 
leader  of  your  team?  Executive 
recruiter  Judy  Homer  provides  you 
with  tools  to  identify  and  overcome 
the  obstacles  in  your  path,  and  set 
the  milestones  for  measuring  your 
success.  Workshop  participants 
develop  strategies  and  create  a 
checklist  for  visualizing  your  goals 
and  for  building  the  team  needed 
to  support  you  in  making  them  a 
reality. 


InFocus  Workshop  #2 
Meeting  Your  Goals:  Where 
Executive  Coaching  Can  Help 

MICHAEL 
BRENNER,  Chief 
Resource,  Brenner 
Executive 
Resources,  Inc. 

The  biggest  prob¬ 
lems  many  CIOs  face  are  with 
people,  not  with  technology.  The 
CIO  needs  to  adapt  to  greatly 
different  human  interactions  to 
handle  the  360  degrees  of  interac¬ 
tion.  You  can't  always  be  your  own 
mentor.  Executive  coach  Michael 
Brenner  discusses  the  special 
challenges  CIOs  face  and  how  to 
use  executive  coaching  as  a  tool. 
The  benefits  can  include  having  an 
objective  sounding  board,  deter¬ 
mining  accountability,  resolving 
conflict  and  maintaining  work/life 
balance.  He  provides  sources  of 
executive  coaches,  tips  on  how  to 
pick  and  work  with  one,  and 
explores  specific  situations 
suggested  by  attendees. 

InFocus  Workshop  #3 
Plugging  Business  Case 
Leaks  in  the  IT  Value  Pipe 

JACK  KEEN,  Coauthor,  Making 
Technology  Investments 
Profitable 

A  dependable  business  case  is  a 
vital  management  tool,  not  just  to 
"get  the  money,"  but  throughout 
the  entire  life  cycle  of  a  project, 
from  the  moment  it  is  conceived, 
through  proposing,  selection, 
implementation  and  systems 
operations.  Like  many  things  in 
life,  however,  business  case 
appearances  can  be  deceiving— 
the  majority  are  unintentionally 
inaccurate  and  incomplete,  thus 
dangerously  misleading  in  their 
recommendations  to  manage¬ 
ment.  Keen  shows  us  how  to 
identify  the  likeliest  weak  links  and 
fix  them.  He  shares  how  to  avoid 
missing  benefits,  missing  intangi¬ 
bles  and  poorly  supported  calcula¬ 
tions  and  reasoning. 

InFocus  Workshop  #4 
Effectively  Marketing  IT 
Internally 

PATTY  JARAMILLO,  Founder, 
Creative  IT  Marketing 

A  common  CIO  lament  is  that  the 
business  and  financial  sides  of  the 
house  don't  understand  IT— but 


Jaramillo’s  recent  study  shows 
that  most  CIOs  do  not  have  a  plan 
in  place  for  internal  marketing 
communications  for  IT.  To  be 
successful,  you  need  to  continually 
educate  the  business  side  to  IT 
value,  and  you  need  to  do  it  In 
terms  they  understand.  Jaramillo 
talks  about  the  importance  of 
being  an  active  communicator,  and 
shares  techniques  and  tools  that 
have  worked  for  a  number  of 
organizations. 

3:45  pm-4:45  pm 

Developing  the  Next 
Generation  of  IT  Leaders 

Moderator:  RICK 
SWANBORG, 

President,  ICEX 
Panelists:  DAVID 
GUZMAN, 

Senior  Vice 
President  &  CIO,  Owens  & 
Minor 

EDWARD  L.GLOTZBACH, 

Executive  Vice  President  & 

CIO,  SBC 

MICHAEL  HARTE,  CIO,  PFPC 
MAMIE  MILLARD,  Senior 
Vice  President,  Technology, 
Travelocity.com 

In  addition  to  honing  their  own 
leadership  abilities,  CIOs  are 
concerned  with  identifying  and 
developing  effective  leaders  in 
their  organizations.  Swanborg  and 
a  panel  of  CIOs  discuss  the  chal¬ 
lenges  involved,  and  share  the 
techniques  they’ve  used  to  mold 
the  next  generation  of  IT  leaders. 

4:45  pm-5:30  pm 
How  to  Get  a  Life 

DR.  RICK 
BRINKMAN, 

Author  of  Life  By 
Design:  Making 
Wise  Choices  in  a  Mixed-Up 
World 

With  the  Internet,  cell  phones, 
laptops,  wireless  and  loads  of 
other  nifty  gadgets,  we  can  now 
work  anytime  from  anywhere  in 
today’s  24/7  global  business 
environment.  Dr.  Rick  looks  at  why 
it's  increasingly  important  to 
maintain  a  healthy  balance 
between  Life  and  Work. 

5:30  pm-5:45  pm 

Closing  Summary 

JONATHAN  ZITTRAIN 

5:45  pm-6:45  pm 

Networking  Reception 

7:30  pm-9:30  pm 

CIO  DinnerParty 


“Superb  opportunity  to 
network,  learn,  share, 
and  a  great  reality 
check.” 

-Mike  Nogle,  VP  &  CIO. 

Tab  Products 

“The  CIO  Perspectives 
conference  is  the  most 
valuable  executive 
conference  that  I  have 
attended.” 

-Richard  Yanke,  Sr.  VP  &  CIO. 
Three  Rivers  Bank 


“If  you  can  only  attend 
one  IT  management 
conference,  CIO 
Perspectives  is  IT!” 

-Phil  Go,  CIO,  Barton  Malow 


This  CIO  Perspectives 
Sponsored  by: 


Legendary  Reliability” 


Intel. 

SUNGARD 

Availability  Services 
The  Net  Beneath  You 

SupportSoft 


viacore 


Visit  us  at 
www.cio.com/ 
conferences  or 
call  800  366-0246 


The  Resource  for 
Information  Executives 


cost.  Most  of  the  soft  stuff  we  won’t  see  at  all  because  the 
vendor’s  loyalties  will  never  be  the  same  as  the  employee’s 
loyalty.  And  so  the  employees  will  lose,  but— let’s  face 
it— the  company  will  also  lose  because  it  won’t  be  able  to 
buy  the  same  sort  of  dedication  from  an  outsourcer  that 
it  can  find  in  an  employee. 

Meanwhile,  the  finance  twerps  won’t  have  to  be  the 
ones  to  look  good  people  in  the  eye  and  tell  them  the 
past  10  years  of  hard  work  doesn’t  mean  squat.  Mostly 
they  just  run  the  numbers  and  call  the  shots  after  doing 
“the  analysis.” 

Statistics  and  I  have  always  been  at  odds.  There’s  a 
saying:  Lies,  damn  lies  and  statistics.  It  reminds  me  that 
one  can  find  numbers  that  say  anything.  Especially  if  you 
make  it  up.  We  all  know  that  it’s  easy  to  use  numbers  to 
make  anything  look  good. 

A  friend  of  mine— a  manager  at  a  large  oil  company- 
got  himself  a  master’s  degree  in  mathematical  statistics. 
When  I  once  asked  what  possessed  him  to  work  on  such 
a  degree,  he  smiled  and  told  me,  “I’ve  learned  that,  with 


The  number  crunchers  don’t  see  security  the  same  way 
I  do.  To  them,  it's  nothing  but  numbers.  To  me,  it’s  the 
crown  jewels  of  the  organization.  By  Anonymous 


E’VE  DECIDED  to  outsource  security  at  my  company. 

We’ll  be  doing  so  against  my  better  judgment.  Because,  to  me,  when  you  give 
away  the  protection  of  the  crown  jewels,  you’re  just  asking  for  trouble.  But  beyond 
my  concerns  about  what  it  all  means  for  my  company’s 
security,  it  also  means  I’m  going  to  have  to  let  some  of 
my  best  people  go.  Not  because  they’re  doing  a  bad  job, 
mind  you,  but  because  some  accountant  in  our  finance 
department  put  forth  a  costing  study  that  claims  we  can 
save  money  by  outsourcing. 

I  wish  that  the  accountants  had  to  do  my  job  at 
times  like  this.  They  don’t  get  to  see  the  business  of 
security  while  tucked  cozily  away  in  their  little  offices. 

To  them,  security  is  just  numbers,  nothing  more.  All  the 
breached  machines.  The  scummy  pornographic  spam. 

The  employee  stalkers.  It’s  just  numbers  to  them.  They 
think  that  the  staff  is  too  expensive  and  that  they  should 
go.  They  think  we  can  do  better  with  strangers  who  cost 
less— or  so  the  analysis  says. 

I  want  to  tell  the  finance  guys,  “Sure,  you  can  out¬ 
source  security.  But  where  should  we  buy  our  loyalty?” 

They  just  stare  back  at  me,  confused. 

I  mean,  how  do  you  factor  loyalty,  dedication  or 
willingness  to  go  the  extra  mile  into  return-on-invest¬ 
ment  analyses?  And  make  no  mistake,  employee  loyalty 
and  dedication  are  two  of  the  most  important  things 
we’ll  lose.  Immediately. 

These  great  people  on  our  security  staff  are  the  same 
people  who  worked  and  worried  all  weekend  long  when 
security  problems  arose.  They’re  the  same  people  who 
put  their  personal  lives  on  hold  to  save  the  company’s 
butt  when  someone  broke  into  our  systems  and  messed 
with  our  customer  records.  The  same  people  who  put 
their  faith  in  the  company.  We  were  family. 

Does  ROI  take  any  of  that  into  account?  Of  course 
not.  Oh,  sure.  We  might  be  able  to  get  some  extra  care 
from  the  outsourcer.  But  we’ll  only  get  it  at  an  extra 


Why  Outsourcing 
Won’t  Work 


58  www.csoonline.com  March  2003 


ILLUSTRATION  BY  GERARD  DUBOIS 


CIO  ENTERPRISE 
VALUE  AWARDS' 


The  Resource  for 
Information  Executives 


As  an  executive  who  has  built  or  utilized  an  IT  system  that 
delivers  both  demonstrable  ROI  and  strategic  value  to  your 
organization,  you  deserve  recognition  and  praise. 

The  CIO  Enterprise  Value  Award  will  bring  you,  your  company 
and  your  IT  organization  the  industry  prestige  you  deserve. 


Download  the  application 
from  our  website  at 
www.cio.com/eva 
or  contact  Lynne  Rigolini 
at  (508)  935-4088. 

Deadline  for  entry: 

May  15,2003 


CSO  Undercover 


statistics,  I  can  make  a  persuasive  case  for 
anything  I  want.” 

Over  the  years,  I’ve  discovered  how  right 
he  is.  Anyone  can  turn  any  ROI  analysis  into 
something  that  supports  whatever  case  he  is 
trying  to  make.  But  that  isn’t  necessarily  the 
truth. 

And  so  here  I  sit,  contemplating  the  value 
of  number  crunching  and  awaiting  the  sweet 
aftermath  of  outsourcing.  And  50  years  of 
expertise— that’s  five  people,  averaging 
10  years  each  with  the  company— will  be 
looking  for  employment  elsewhere  (with  our 
competitors?). 

And  most  of  that  experience  can’t  just  be 
replaced  by  a  vendor,  no  matter  how  good  it 
is.  These  five  employees,  they  know  all  the 


its  top  cook— an  expert  who  knew  all  about 
the  glitches  in  the  heating  systems  and  the 
subtleties  of  the  recipes.  The  cook  was  eager 
to  retire,  so  the  soup  company  designed  an 
expert  system  to  capture  as  much  knowledge 
as  it  could  from  this  one  particular  guy  about 
his  work.  Two  years  later,  the  cook  was  still 
working  as  a  full-time  consultant  to  the  com¬ 
pany  because  the  “expert  system”  was  still 
severely  lacking  the  knowledge  that  he  had 
accumulated  during  his  40  years  at  the  com¬ 
pany.  The  soup  maker  realized  that,  if  it  lost 
that  knowledge,  it  would  have  suffered  in  a 
major  way. 

We’re  about  to  do  the  same  thing  with  our 
organization.  Only  we  have  no  expert  sys¬ 
tem  being  built  to  at  least  capture  the  knowl¬ 


I  want  to  tell  the  finance  guys,  “Sure,  you  can 
outsource  security.  But  where  should  we  buy  our 
loyalty?”  They  just  stare  back  at  me,  confused. 


employees  here.  They  know  all  the  hacks  and 
attacks  we  have  had.  They  know  what  we  did 
to  stop  them  and  what  we  did  to  make  cer¬ 
tain  that  they  wouldn’t  happen  again.  They 
understand  most  of  the  management  issues, 
the  budgetary  problems,  the  idiosyncrasies  of 
the  company.  They  know  what  it  takes  to 
communicate  information  about  security 
throughout  the  company.  They’re  trusted  by 
employees  to  make  sense  of  the  chaos  that 
happens  in  the  fog  of  war. 

And  they’ll  be  replaced  by  outsiders.  And 
part-time  outsiders,  at  that. 

It’s  funny  because  I’m  not  that  worried 
about  how  well  the  outsourcing  company 
does  the  grunt  work,  the  mechanical  stuff. 
The  particular  outsourcer  we’re  turning  to 
has  all  the  right  credentials,  all  the  right  expe¬ 
rience— an  admirable  track  record,  in  fact.  I 
checked  it  out  pretty  thoroughly.  And  I’m 
sure  that  it  will  be  able  to  keep  the  vehicle 
running.  That’s  not  my  concern. 

No,  what  really  worries  me  is  the 
“gotchas”— you  know,  the  problems  that  an 
outsider  can’t  know  about  and  probably 
doesn’t  care  about. 

I  remember  reading  an  article  years  ago 
about  a  large  commercial  soup  maker  losing 


edge.  Even  worse,  I  have  also  been  told  that 
we’ll  have  no  budget  to  rehire  ex-employees 
to  help  if  something  goes  very  wrong.  So 
we’re  going  cold  turkey.  Geesh,  even  smokers 
trying  to  kick  the  habit  get  the  patch.  We 
just  get  the  shaft. 

I  talked  to  one  of  my  peers  at  another  com¬ 
pany  that  uses  the  same  outsourcer  we’ve 
selected.  She  told  me  it  is  competent  and  will 
do  a  good  job.  When  I  asked  her  about 
knowledge  base  loss,  she  was  quiet  for  a 
moment  and  then,  in  a  low  voice,  told  me 
that  the  loss  of  people  who  knew  how  to  get 
things  done  in  security  had  dealt  her  com¬ 
pany  a  serious  blow  to  productivity. 

She  also  said  that  no  ROI  she  knew  of 
could  explain  all  the  ancillary  costs  they  have 
run  into  trying  to  compensate  for  the  loss  of 
smart  people  with  extensive  knowledge  who 
worked  day  and  night  to  keep  the  lid  on  the 
pressure  cooker  that  is  her  company.  When 
you  add  all  the  numbers  together  as  part  of 
the  real  situation,  she  said,  it  costs  more  to 
outsource  than  to  keep  it  in-house. 

I  asked  what  happened  when  she  brought 
it  up.  She  said  no  one  wanted  to  talk  about  it 
or  hear  any  bad  news.  Period.  Decisions  had 
been  made,  and  there  was  no  point  in  bring¬ 


ing  it  up  until  the  whole  exercise  is  a  dismal 
failure  five  years  from  now  when  the  out¬ 
sourcing  contract  expires. 

It’s  hard  to  deny.  My  personal  attitude  is 
going  from  bad  to  worse.  Of  course,  I’ll  be 
expected  to  work  with  the  guys  in  finance 
who  concocted  this  whole  plan.  And  I’ll  have 
to  play  nice  with  them.  Otherwise,  I  won’t  get 
the  purchase  orders  signed  for  the  unsched¬ 
uled  coverage  time  by  the  contractor.  I  won’t 
get  the  contracts  amended  for  the  extra  work 
I’ll  need  done.  And  I  won’t  get  the  budget 
overrides  approved  for  vacation  time  that 
they  forgot  to  account  for  in  “their”  plan. 

You  can  be  sure  that  none  of  those  costs 
are  going  to  show  up  in  the  post-conversion 
analysis  that  the  finance  guys  do.  Instead, 
they’ll  get  their  raises  and  promotions  and  go 
about  their  business  of  figuring  out  which 
department  should  get  hosed  next. 

Most  likely,  I’ll  be  fired  in  a  month  or  two 
when  none  of  this  works  and  the  finance  guys 
are  looking  for  a  scapegoat.  Or  maybe  I’ll 
stay  here  and  work  at  becoming  an  expert  at 
managing  outsourced  relationships.  I  sup¬ 
pose  I  could  manage  all  sorts  of  outsourcing 
relationships  if  I  got  really  good  at  it:  ship¬ 
ping,  IT,  HR,  finance....  Hmmm.... 

In  the  meantime,  I  cannot  possibly  get  all 
the  work  done  properly  with  the  bare-bones 
staff  available  to  me  from  the  outsourcing 
vendor.  I  mean,  the  vendor  is  competent  in 
many  areas,  but  it  will  not  be  able  to  help  out 
in  important  ways  like  corporate  security 
policy  development,  business  case  develop¬ 
ment,  integration  issues  with  other  depart¬ 
ments,  security  awareness  training  and  so 
much  more.  No,  I’m  on  my  own  for  all  of 
that  now. 

But  tomorrow  is  another  day. 

Today,  I  get  to  visit  HR  to  get  the  paper¬ 
work  done  for  the  employees  I’ll  be  letting  go. 
I  always  thought  that  people  were  the  most 
valued  asset  of  a  company.  I  guess  I  was 
wrong.  It  appears  that  the  most  valued  asset 
in  my  company  is  an  accountant  who  thinks 
he  knows  how  to  make  a  security  depart¬ 
ment  cost-effective.  I’m  sure  he  can  pitch  in 
to  help  when  we  get  hacked  again.  ■ 

This  column  is  written  anonymously  by  a  real  CSO  at  a 
major  corporation.  For  reader  feedback,  e-mail  us  at 
csoundercovermxo.com. 


60  www.csoonline.com  March  2003 


R0WELL 

Goldstein 

FRAZER  & 
MURPHY  Llp 


The  Resource  for 
Security  Executives 


Announcing:  A  powerful  two-day  conference  presented 

CONTRACTS 
DEPARTMENT 
HOMELAND  SE 

Meeting  The  Government  s  unanging 
Needs  in  a  Brave  New  World 

x  April  8-9,  2003  •  Washington  Marriott  •  Washington,  D.C. 


oun* 


tee' 


M 


\\  M  JTith  a  high  priority  mandate  and  budget  of  93  billion  dollars,  the  new  Department  of 
ml 1#  Homeland  Security  will  spend  more  money  on  products/services  in  2003  than  many 
W  W  countries’  entire  GNP.  However,  this  massive  government  reorganization  combined  with 
extraordinarily  sensitive  new  initiatives  has  caused  the  department  to  revamp  its  procurement 
practices  from  the  ground  up.  Companies  that  understand  how  to  navigate  the  new  procurement 
policies  and  idiosyncrasies  will  be  at  a  tremendous  advantage.  At  the  symposium  you  will: 

•  Gain  a  thorough  understanding  of  new  homeland  defense 
procurement  procedures 

•  Be  advised  directly  from  agency  decision-makers  how  to 
strategically  position  your  business 

•  Meet  and  learn  agency  nuances  from  executives  within 
OMB,  GSA  and  Homeland  Defense 

SPEAKERS  INCLUDE: 


CONGRESSMAN 
TOM  DAVIS  (R-VA) 
Chair,  House 
Government  Reform 
Committee 


DAVID  A.  ORABKIN 
Deputy  Associate 
Administrator, 

Office  of  Acquisition 
Policy  General 
Services 
Administration 


THE  HON.  ANGELA  STYLES 
Administrator, 

Office  of  Federal 
Procurement  Policy 
White  House  Office  of 
Management  and  Budget 


HOWARD  SCHMIDT 
Vice  Chair, 
President’s  Critical 
Infrastructure 
i  Protection  Board 


PRESENTED  BY: 


BN  A, 

Essential  information 
Expert  analysis. 


Venable 


Register  Today!  Call  (631)  368-2082  x21 
Or  register  online  at  http://conferences.pf.com/hoioeland-security 


Sales  and 
Services 

CSO  Sales  Offices 

President  Walter  Manninen  •  508  935-4101 
Group  Publisher 
Gary  J.  Beach  •  508  935-4202 
Publisher  Bob  Bragdon  •  508  935-4443 
Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Eastern  Regional  Account  Executive 
Kim  Forrest  •  508  935-4068 
Senior  Regional  Manager 
Kathy  Powers  •  973  244-4041 

Midwest 

Regional  Director 
Robert  E.  Sawdon  •  512  306-9801 
Regional  Sales  Manager 
Christopher  Nolan  •  847  441-5005 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 
Senior  Regional  Manager 
Jane  Evans  •  415  975-2680 
Regional  Manager 
Ai  Collins  •  415  975-2686 
Regional  Sales  Manager 
Chris  Bramel  •  949  475-5579 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

Online  Services 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Mgr. 

Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development 
Tom  Field 

Project  Manager  Amy  Greenleaf 
Graphic  Designer  Chris  Brown 


Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator 
Lisa  Stevenson 

Executive  Programs 

Senior  Vice  President  Ronald  L.  Milton 

Conference  Management  VP 

Cynthia  Mollus 

Marketing  Services  Director 

Shellie  Rapson  James 

Director  of  Sales  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Conference  Program  Manager  Randy  Levy 

Marketing  Manager  Glede  Kabongo 

Marketing  Services  Coordinator 

Andrea  Slobogan 

Event  Development  Specialist 

Sandra  J.  Flughey 

Operations  Coordinator  Michael  Barbato 
Event  Planning  Manager  AmyTurell 
Senior  Customer  Service  Coordinator 
Sarah  Yee 

Marketing 

Executive  VP/Marketing 
Cathy  O’Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate 
Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 
Kari  Curto 

Marketing  Comm.  Associate 
Sarah  Crowley 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints,  please  contact  Reprint 
Services  at  651  582-3800  or  e-mail 
csoreprints@reprintservices.com. 

For  further  sales  information,  visit 
www.csoonline.com/marketing/sales.html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.0,  Box  9208, 
Framingham,  MA  01701-9208,  508  872- 
0080. 

Postal  Information 

CSO  (ISSN  1540-904X)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old  Con¬ 
necticut  Path,  P.0,  Box  9208,  Framingham, 
MA  01701-9208.  Application  to  mail  at  Peri¬ 
odicals  postage  rate  is  pending  at  Framing¬ 
ham,  MA  01701,  and  at  additional  mailing 
offices.  Canadian  Publications  Mail  agree¬ 
ment  number  1902075.  CANADIAN  POST¬ 
MASTER:  Please  return  undeliverable  copy 
to  P.0.  Box  1632,  Windsor,  ON  N9A7C9. 

Permissions 

Copyright  2003  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  all  requests  to  Permissions 
Department,  CSO,  492  Old  Connecticut 
Path,  P.O.  Box  9208,  Framingham,  MA 
01701-9208. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970,  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol: 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 

To  all  others  the  one-year  basic  rate  is  $90 
for  the  United  States  and  Canada,  $115  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of 
the  article(s)  in  which  the  company  is 
mentioned.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

4FrontSecurity  Inc . 32 

Anixter  Inc . 51 

Archer  Daniels  Midland  Co . 26 

Baseops  International  . 26 

Boston  Scientific  Corp . 38 

British  Standards  Institute  . 32 

Center  for  Strategic  and  International 

Studies  . 20 

ConocoPhillips  . 38 

Control  Risks  Group  . 26 

Corning  Inc . 20 

Council  on  Excellence  in  Government  . .  .20 

First  Data  Corp . 32 

Gartner  . 44 

General  Dynamics  Corp . 20 

Giga  Information  Group  Inc . 32 

H.J.  Heinz  Co . 26 

iJet  Travel  Intelligence  Inc . 26 

International  Organization  for 

Standardization  . 32 

KeyCorp  . .• . 44 

Kroll  Inc . . . 26 

MailWise  LLC  . 13 

Marriott  International  Inc . 32 

Merrill  Lynch  &  Co.  Inc . 13 

Meta  Group  Inc . 13 

Morgan  Crucible  Co.  PLC  . 26 

ObjectVideo  . 51 

Pennsylvania-American  Water  Co . 13 

Postini  Inc . 13 

Pyramid  Vision  Technologies  . 51 

Scalingi  Group.  The  . 13 

Security  Risk  Solutions  . 13 

Symantec  Corp . 32 

Texaco  Inc . 38 

Vanguard  Group,  The  . 32 

Advertiser  Index 

Aladdin  Knowledge  Systems  . 7 

Anixter  Inc . 9 

BMC  Software  . 5 

Bureau  of  National  Affairs  . 61 

Check  Point  Software  . C2 

CompTIA  . 53 

CXO  Media  Inc . 55,  59,  63 

GuardedNet  . 19 

IBM  Corp . C4 

Information  Systems  Audit  and 

Control  Assoc . 15 

Intense  School  . 50 

NEC  Solutions  . 17 

Nokia  . 12 

Psynapse  Technologies  . C3 

Qualys  Corp . 11 

Robert  Half  Technology  . 25 

Stonesoft  Corp . 43 

Symantec  Corp . 2 

VeriSign  . 21,  23 


62 


www.csoonline.com  March  2003 


CSO  Perspectives 


Today's  security  executives  meet  at  the 
CSO  Perspectives  Conference 

BUILDING  A 
CULTURE  OF 
SECURITY 

Sk tv.  v  ; 

It  '  •  •  -iv:  ■-  •  -  ' 

As  an  executive  responsible  for  securing  and 
protecting  an  organization’s  information 
assets  and  infrastructure,  you  are  constantly 
searching  for  how  to  better  define  your  mission 
and  responsibilities  within  the  enterprise. 

You  need  a  forum  in  which  you  can  address 
your  own  unique  set  of  business-level 
challenges— and  network  with  your  peers. 


June  17-19, 2003 
Hotel  del  Coronado 
Coronado,  California 

CSO  Perspectives  meets  those  needs 

with  an  educational  and  networking  con¬ 
ference  just  for  you— chief  security  officers 
(CSOs)  and  senior  technology  decision¬ 
makers  (CIOs).  At  CSO  Perspectives,  you’ll 
gain  firsthand  knowledge  from  industry 
experts  and  your  peers  that  can  enhance 
your  organization’s  security  strategy. 

You’ll  have  the  opportunity  to: 

•  Exchange  best  practices  in  balancing 
risk  and  responsibility 

•  Learn  from  your  peers  what  works  in 
the  real  world 

•  Explore  creating  a  culture  of  security 

•  Understand  the  current  thinking  on 
key  issues  and  trends 

•  Uncover  the  hidden  threats  of  legal 
liability 

•  Examine  emerging  technologies  that 
will  impact  your  enterprise 

Visit  us  at  www.csoperspeclives.com 

or  call  800  366-0246. 


The  Resource  for 
Security  Executives 


Opening 
Keynote: 
Wesley  Clark. 

Former  NATO 
Supreme  Allied 
Commander  & 
CNN  Military 
Analyst 


Conference 
Moderator: 
Jonathan 
Zittrain.  Co¬ 
director,  The 
Berkman  Center 
for  Internets 
Society,  Harvard 
Law  School 


Thursday 

Evening: 

JimmyTingle, 

Social/political 
Commentator  & 
Humorist 


Pop  Quiz 


Patently  Secure 


0-5  correct: 
Patently  Absurd 


1.  What  was  the  subject  of  the  first  patent 
that  used  the  term  “biometrics”? 

a.  A  fingerprint  identification  machine 

b.  A  basal  body  temperature  monitor 

c.  A  method  for  tranquilizing  warm¬ 
blooded  animals 

d.  A  treadmill  that  tracks  heart  rate 

2.  What  was  the  first  patented  biometrics 
device  that  was  IT-related? 

a.  A  fingerprint  identification  machine 

b.  A  face  recognition  scanner 

c.  A  software  program  that  uses  foot  size 
for  identification  purposes 

d.  A  3-D  hand  profile  ID  apparatus 

3.  Since  1976,  more  than  2.5  million  patents 
have  been  issued.  How  many  reference  the 
word  “security”? 

a.  16,475  b.  64,689 

c.  123,210  d.  493,298 


11.  What  is  the  security  device  pictured  above? 

a.  A  bandit-catching  armored  tank  for 
thwarting  bank  robberies 

b.  Detail  of  an  electrical  fence  design  for 
stopping  prison  escapes 

c.  An  incinerator  for  destroying 
potentially  damaging  internal  docu¬ 
ments 

d.  Emil  Hacker’s  1909  dishwasher 

12.  What  does  Stanley  Valinski,  who  received 
the  above  patent  on  Sept.  27, 1921,  list  as 
some  of  its  features? 

a.  “Inhabited  by  an  [unseen]  watchman" 

b.  "Includes  a  novel  catching  and  holding 
device  for  bandits” 

c.  Includes  “peep  holes"  for  viewing  ban¬ 
dits  and  “gun  holes  for  watchman  to 
attack  burglars  by  weapons  or  the  like” 

d.  All  of  the  above 

13.  How  many  patents  since  1976  reference 
“anti  virus  software”? 

a.  1  b.  13  c.  29  d.  48 

14.  How  many  reference  an  “anti  snoring 
device”? 

a.  1  b.  13  c.  29  d.  47 

Bonus  Question!  What  is  the  significance  for 
security  personnel  of  patents  6,246,771  and 
6,449,723? 

NOTE:  DUE  TO  THE  STRUCTURE  OF  WWIV.USPT0.GOV, 
SEARCHES  GENERALLY  COVER  1976  TO  THE  PRESENT, 
EXCEPT  WHERE  OTHERWISE  NOTED.  SEARCHES  USED  TEXT 
EXACTLY  AS  QUOTED  IN  THE  QUESTIONS  AND  WERE  PER¬ 
FORMED  ON  JAN.  13  AND  JAN.  16,  2003. 

aaoujo  Aiianoas  J3IHD 
V  N0I1N3IAI  AlTVOIJIDSdS  iVHi  SINSiVd  0M1  ISdld 
3H1  3HV  A3H1  :SFIN09  ‘OH  ‘0'EI  ‘d'ZI  'vii  '3nHroi 

'V 6  ‘CT8  ‘87  '3nai-9  '0  9  ‘Vfr  ‘8'E  '0  2  ‘0'I  :SH3AASNV 


6-12  correct: 
Patently  Average 


13-15  correct: 
Patently  Dishonest 


4.  There  are  about  300,000  pending 
patents,  applied  for  since  2001.  How  many 
reference  the  word  “security”? 

a.  16,475  b.  64,689 

c.  123,210  d.  493,298 

5.  “Hacker”  appears  in  1,683  patents.  What 
percent  actually  refers  to  an  inventor’s  name 
and  not  the  computer  practice? 

a.  0  b.  1  c.  8  d.  15 

6.  True  or  False:  Emil  Hacker  patented  a 
dishwasher  in  1909. 

7.  How  was  “hacker”  defined  the  first  time  it 
was  used  in  reference  to  computers,  in  1985 
for  a  “modem  security  device”? 

a.  “A  highly  skilled  computer  operator 
with  devious  intentions” 

b.  “An  amateur  trespasser  who  breaks 
into  computers  for  the  fun  of  it” 

c.  “Bad  guys” 

d.  “Nerds  who  know  more  about  comput¬ 
ers  than  the  average  Joe” 

8.  How  many  patents  and  patent  applications 
use  the  phrase  "windows  security”? 

a.  7  b.  23  c.  28  d.  38 

9.  How  many  of  them  are  referring  to 
Windows  the  software  product? 

a.  7  b.  23  c.  28  d.  38 

10.  True  or  False:  Two  patents  that  refer¬ 
ence  “Windows  security”  do  so  because  the 
inventions  address  the  disadvantages  of 
Windows  security. 


How’d 
You  Do? 


64  www.csoonline.com  March  2003 


ILLUSTRATION  BY  STEVEN  DANA 


Finally,  an  intrusion  protection  system  with  brains 


Imagine  an  intrusion  protection  system  that  actually  anticipates  a  hacker's 
behavior.  Checkmate  is  the  newest  breed  of  intrusion  protection,  and  the 
first  to  truly  combine  behavioral  and  computer  sciences.  Created  by 
nationally  recognized  experts  in  psychological  assessment  and  network 
security,  Checkmate  assesses  a  hacker's  intent  and  prevents  damage 


before  it  occurs.  For  more  informatio 
visit  www.psynapsetech.con 


Game  Over. 


UNEXPECTED  HIT 


software 

SELF 

HEALING 

PLAY 


1]  WIN  WITH  SELF-MANAGEMENT:  Whether  it’s  boy  bands  or  rubber 
bands,  software  that  effectively  manages  an  e-business  is  essential.  But 
software  that  corrects  problems  before  they  occur?  That’s  extraordinary. 

2]  WIN  WITH  TIVOLI:  Unlike  other  solutions  that  tell  you  you've  violated 
a  service  level  agreement  after  the  tact,  Tivoli  software  detects 
trends  and  makes  adjustments  before  things  go  awry. Tivoli.  Part  of  our 
software  portfolio,  including  DB2?  Lotus®  and  WebSphere® 

3]  MAKE  THE  PLAY:  Visit  ibm.com/tivoli/unexpected  and  download 
a  free  buyer's  guide  on  how  to  meet  your  service  level  agreements. 


(e)  business  is  the  game.  Play  to  win 


~  ■ 

•  1 


CIO  GETS 

UNEXPECTED  PRAISE 


